Back to skill

Security audit

SendClaw Email - Bots & Agents get their own email address

Security checks across malware telemetry and agentic risk

Overview

SendClaw appears to be a legitimate email-agent skill, but it gives an agent ongoing email-reading and email-sending power with some under-scoped automation guidance.

Install only if you want an agent to use SendClaw as a third-party email account. Keep SENDCLAW_API_KEY in a secrets manager, require explicit approval before the agent sends or replies to external email, avoid autonomous heartbeat replies unless tightly configured, and remember that reading unread messages may change mailbox state.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The heartbeat explicitly instructs the agent to fetch unread emails, process them, and potentially reply automatically, but it provides no guardrails about user consent, approval, or limits on how message content may be used. In an email skill, this can cause unauthorized actions on sensitive user data or accidental external communication based on untrusted inbound content.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The skill authorizes broad actions such as contacting others, registering, making reservations, and inquiries with few concrete trigger boundaries or approval gates. In an agent setting, this can cause overbroad invocation and unintended outbound communication, increasing the risk of privacy leakage, spammy behavior, or actions taken without sufficiently explicit user consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill encourages sending and receiving email and later notes that a human can view full inbox and conversation history via the dashboard, but this data-handling implication is not surfaced prominently before setup/use. Users may disclose sensitive information to the skill without understanding that messages are stored, readable in a dashboard, and potentially shared with account managers or operators.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The manifest requires a SENDCLAW_API_KEY and points to external API and documentation endpoints, but provides no inline warning or disclosure about credential transmission to a third-party service. In an agent-skill context, this increases the risk of users supplying sensitive credentials without understanding where they are sent or how they are used, especially since behavior may be defined by remote content.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.