Clawaimail

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate email-integration skill, but it gives an agent real send/delete authority and can create remote inboxes as a side effect of ordinary-looking actions.

Install only if you intend to let an agent operate a real ClawAIMail account. Use a dedicated limited API key, require human approval before sending email or deleting inboxes, pass explicit inbox IDs where possible, and verify the npm package/version before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The helper used by multiple tools will create a brand-new inbox whenever no inboxes exist, even for operations described as merely using a default inbox. This introduces an undisclosed state-changing side effect on read/send flows, which can surprise users, alter account state, and cause unintended resource creation or policy bypass in agent environments that expect read-like tools to be non-mutating.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The send_email description says omitting inbox_id uses the default inbox, but the implementation may create a new inbox instead. This mismatch is security-relevant because agent planners and users may authorize a send action under the assumption it won't provision new remote resources, leading to unintended account changes.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The list_messages description implies a passive read from an existing default inbox, but the implementation may create a new inbox as a side effect when none exists. That turns a read-style operation into a write operation, which is dangerous in least-privilege or approval-gated agent settings.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The read_email tool claims it uses the default inbox if inbox_id is omitted, but it may create a new inbox first. This misleading contract can cause hidden account mutation during what appears to be a read-only action, undermining user consent and automated safety controls.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The search_emails tool is described as using the default inbox, but in practice it can create a new inbox if none exists. Hidden resource creation in a search operation is a trust and safety issue because users and orchestration layers may treat search as non-mutating and approve it more broadly.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README exposes powerful actions such as sending email and deleting inboxes without any warning about external side effects, irreversible operations, or the need for explicit user confirmation. In an agent-integrated context, this increases the risk that an AI system will invoke destructive or externally visible actions automatically, causing data loss, spam, or unintended communications.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This skill handles real email traffic, meaning prompts, message bodies, recipients, and inbox contents may be transmitted to or retrieved from a third-party service. Without prominent user warnings, operators may unintentionally expose sensitive communications or use the skill in contexts where external email handling is not acceptable.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documented `delete_inbox` capability can permanently remove an inbox and all messages, but the file does not warn users that this is destructive and potentially irreversible. In an agent setting, ambiguous tool use or prompt injection could trigger deletion and cause loss of records, credentials, or business communications.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This code performs a remote POST to create an inbox automatically without any explicit confirmation at the tool call site. In agent contexts, silent state-changing actions are risky because a model may trigger them while attempting a read or send workflow, causing unintended account modifications and possible billing, quota, or compliance consequences.

Missing User Warnings

High

Confidence: 90% confidence
Finding: delete_inbox irreversibly deletes an inbox and all messages with no in-code confirmation, soft-delete, or additional safeguard. In an agent setting, a mistaken invocation, prompt injection, or ambiguous user request could lead to permanent loss of email data and operational disruption.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal