ClawHub

Smart Email

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent email assistant, but it handles mailbox contents and credentials with under-disclosed external AI processing and weak secret/security controls.

Review before installing. Use only with mailboxes whose contents may be sent to the configured AI provider, prefer OAuth over app passwords, avoid putting secrets in chat or shell command arguments, do not share the web UI token URL, and protect or delete the skill data directory because credentials and tokens appear to be stored without real encryption.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
79% confidence
Finding
The skill documentation describes networked behavior and likely environment access, yet no permissions are declared. This weakens the host's ability to present accurate consent and sandboxing expectations, especially for a skill that handles email accounts, OAuth flows, and AI API connectivity.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented behavior materially exceeds the stated description by including a local web server, tokenized browser access, credential/token storage, and broader provider/configuration capabilities. For a credential-handling email skill, these hidden or under-disclosed behaviors increase attack surface and can mislead users about risk and deployment implications.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The document claims all data remains local and is not uploaded, but AI summarization necessarily sends email content or derived content to an external API. This is a privacy and trust violation that could expose sensitive business or personal emails to third parties under false assurances.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
For custom IMAP providers, the code sets `tls.rejectUnauthorized` to `false`, which disables certificate validation and permits man-in-the-middle interception of email credentials and message contents. In an email assistant handling highly sensitive mailbox data, this materially weakens transport security and can expose passwords, OAuth tokens, and fetched emails to active network attackers.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The Web UI exposes generic configuration read/write endpoints that are not scoped to email-assistant functionality. An authenticated UI user can inspect and alter arbitrary skill settings, which can enable secret disclosure, backend reconfiguration, or abuse of unrelated capabilities if other sensitive config entries exist.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The server logs a fully authenticated URL containing the bearer token and explicitly instructs operators to share it to grant access. Query-token authentication is easily leaked via logs, screenshots, clipboard history, browser history, and referrers, so anyone who obtains the URL can administer the UI.

Vague Triggers

Medium
Confidence
73% confidence
Finding
The trigger phrases are broad and can match common conversational messages about email, increasing the chance of unintended invocation. In a skill that reads mail, manages accounts, and may prompt for credentials, accidental activation can lead to privacy leaks or confusing, risky flows.

Missing User Warnings

High
Confidence
95% confidence
Finding
The setup and config instructions ask users to provide app passwords, mailbox passwords, and API keys without any safety guidance about secret handling. Collecting these credentials through ordinary chat or CLI flows raises the risk of interception, transcript retention, logging exposure, and accidental disclosure.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill advertises AI summaries and digests but does not clearly warn users that email contents may be processed by an external AI service. Given the sensitivity of inbox data, omission of this privacy notice can cause users to expose confidential information without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function sends raw email fields, including sender, subject, and body, to a third-party AI endpoint without any evidence of user consent, disclosure, redaction, or tenant-controlled privacy guardrails. In an email assistant context, this is sensitive-content exfiltration risk because emails commonly contain personal data, credentials, internal business information, or regulated data.

Missing User Warnings

High
Confidence
98% confidence
Finding
Batch summarization amplifies the same privacy issue by transmitting multiple emails' contents in a single request, increasing the volume and sensitivity of exposed data. In this skill's context, daily digests and cross-platform email assistance make this more dangerous because a single operation can leak large amounts of mailbox content, potentially across personal and enterprise accounts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The read command always sends the full email body, sender, and subject to the AI summarization function before returning output, but there is no explicit user consent, warning, or local-only alternative at the call site. In an email assistant context this can expose sensitive mailbox contents to a third-party AI provider, creating confidentiality and compliance risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The digest command sends a batch of all fetched emails to summarizeBatch, which likely includes multiple messages' contents and metadata in one external AI request without explicit disclosure or confirmation. Because digests aggregate cross-account mailbox data, the privacy impact is higher than single-message summarization and may expose large volumes of sensitive communications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup flow accepts passwords via a --password CLI argument, which can be exposed through shell history, process listings, logging, and chat-based wrappers that invoke the CLI. In this skill's context, users interact through chat platforms and automation layers, making accidental credential disclosure more likely and increasing the chance of mailbox compromise.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code fetches full mailbox message metadata and body content from Microsoft Graph and returns it for downstream use, but this file contains no built-in user disclosure, consent checkpoint, or minimization beyond a simple time filter and truncation. In an email-assistant skill operating through chat platforms, silently ingesting unread email content increases privacy risk and can expose sensitive mailbox data to other components, logs, summaries, or external messaging surfaces without clear user awareness at the point of collection.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code stores highly sensitive secrets including email passwords, OAuth access tokens, and refresh tokens in a local SQLite database in plaintext. If the host, filesystem, backups, logs, or another local process are compromised, an attacker can recover these credentials and gain persistent access to users' email accounts, which is especially dangerous given this skill manages real mailbox access across providers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The UI offers AI summary and digest actions for emails without clearly informing the user that email contents may be transmitted to an external AI provider. In an email assistant context, messages can contain highly sensitive personal or business data, so lack of disclosure creates a meaningful privacy and consent risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The UI collects an AI API key and allows saving it, but provides no user-facing explanation of where the key is stored, who can access it, or how it will be transmitted. This can mislead users into entering sensitive credentials without understanding retention and exposure risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The UI prompts for an email app password to connect a mailbox but does not explain backend handling, storage, or the sensitivity of that credential. Because mailbox passwords can grant broad access to private communications, collecting them without adequate warning is a significant security and privacy weakness.

Ssd 3

High
Confidence
98% confidence
Finding
The setup flow explicitly instructs the agent to ask users for mailbox passwords or app passwords in plain conversation and then use them for configuration. In chat-based environments, those secrets may be logged, synced, visible to platform operators, or exposed to other integrations, making credential theft and account compromise a serious risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal