ClawHub

CDP Gmail Delivery

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-aligned for sending Gmail, but it gives an agent real send-and-attach authority from a logged-in browser session without a separate human approval gate.

Install only if you are comfortable letting the agent control a visible, logged-in Gmail session. Before each run, independently verify the recipient, subject, body, and attachments, close or save existing drafts, avoid sensitive files unless necessary, and treat any Drive-link fallback as a separate sharing decision with restricted recipient access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill invokes local scripts and Node-based automation against a user-controlled Chrome debug session, which gives it effective access to local environment context and browser state without declaring corresponding permissions. This mismatch is dangerous because operators and policy systems may underestimate the skill's access to sensitive data such as authenticated Gmail sessions, local file paths, and runtime environment details.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file instructs the agent to upload files to Google Drive and share links as a fallback, which expands the skill from Gmail-only message delivery into separate cloud storage, access-control, and file-sharing operations. That scope expansion creates additional exfiltration and permission-setting risk, especially because it explicitly recommends Drive links for executable-looking archives and skill bundles that email security controls would otherwise block.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This receipt file exposes privacy-sensitive operational details including a Gmail account identifier, recipient email, message subject, local file paths, and Chrome DevTools endpoint context. In a skill specifically designed to send email from a logged-in local browser session, these details materially increase the risk of user deanonymization, sensitive metadata leakage, and misuse of the operator’s mail environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends Gmail messages directly through an operator-controlled Chrome session once arguments are supplied, with no in-script confirmation, preview gate, or interactive approval immediately before transmission. In this skill’s context, that is especially dangerous because it operates against a live logged-in Gmail account via CDP, so a mistaken prompt, compromised caller, or unintended automation path could cause real outbound email and attachments to be sent to arbitrary recipients without the human noticing in time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal