ClawHub

Gmail Link Archiver

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it reads selected Gmail messages, crawls their links, and saves Markdown copies, but it handles credentials and installs browser dependencies, so users should treat it as sensitive.

Install only if you are comfortable giving the skill a dedicated Gmail App Password and saving it under your local user account. Use a narrow subject prefix, start with a small --max-links value, run dependency setup in an isolated environment when possible, and revoke the app password or delete ~/.config/gmail-link-archiver/config.json when you no longer need it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (9)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print("[SETUP] Installing Chromium browser...")
    try:
        subprocess.check_call([sys.executable, "-m", "playwright", "install", "chromium"])
    except subprocess.CalledProcessError as e:
        print(f"[ERROR] Failed to install Chromium: {e}")
        return False
Confidence
91% confidence
Finding
subprocess.check_call([sys.executable, "-m", "playwright", "install", "chromium"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Install system deps for headless Chromium on Linux (best-effort)
    try:
        subprocess.check_call(
            [sys.executable, "-m", "playwright", "install-deps", "chromium"],
            stderr=subprocess.DEVNULL,
        )
Confidence
95% confidence
Finding
subprocess.check_call( [sys.executable, "-m", "playwright", "install-deps", "chromium"], stderr=subprocess.DEVNULL, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        print("[SETUP] Installing Playwright...")
        try:
            subprocess.check_call([sys.executable, "-m", "pip", "install", "playwright"])
        except subprocess.CalledProcessError as e:
            print(f"[ERROR] Failed to install Playwright: {e}")
            return False
Confidence
90% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "playwright"])

subprocess module call

Medium
Category
Dangerous Code Execution
Content
except ImportError:
        print("[SETUP] Installing html2text...")
        try:
            subprocess.check_call([sys.executable, "-m", "pip", "install", "html2text"])
        except subprocess.CalledProcessError as e:
            print(f"[ERROR] Failed to install html2text: {e}")
            return False
Confidence
88% confidence
Finding
subprocess.check_call([sys.executable, "-m", "pip", "install", "html2text"])

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill performs sensitive actions including network access (IMAP and web crawling), file writes to the workspace, local credential storage, and shell-based dependency installation, yet it does not declare corresponding permissions in a structured way. This creates a trust and review gap: an agent or user may authorize the skill without realizing it can access email contents, persist secrets locally, fetch arbitrary attacker-controlled URLs from emails, and execute setup commands.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill installs Python packages, browser binaries, and system dependencies at runtime, which is broader than its stated role of archiving links from Gmail. This mismatch matters because users may grant trust based on a narrow description while the code performs software installation and potentially host-level modification, increasing both attack surface and operational risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill persists Gmail IMAP credentials, including the app password, to a local config file. Even with chmod 600, storing reusable email credentials on disk is a sensitive capability not clearly reflected in the skill description, and it increases the consequence of local compromise or accidental exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
During setup, the user is asked for a Gmail app password and the resulting config is saved, but there is no explicit warning that the credential will be persisted locally. This undermines informed consent and can lead users to expose a long-lived credential unexpectedly, especially in shared or insufficiently secured environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill automatically crawls links extracted from emails and writes the converted content to disk without a strong execution-time warning or confirmation. Because email links are untrusted input, this can trigger unexpected outbound requests to attacker-controlled sites, load active web content in a browser context, and save potentially sensitive or maliciously crafted content locally.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal