Skillv1.2.0

ClawScan security

Smart Email · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 12:28 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what its description says (IMAP/Graph email fetching + AI summaries), but there are mismatches and privacy risks you should understand before installing—most notably a false claim of local encrypted storage, plaintext credential storage, and configurable AI endpoints that will receive email contents.
Guidance: What to consider before installing/using this skill: - The skill will ask you for mailbox access: OAuth tokens or app passwords. These are stored locally in data/email.db (plaintext). Do not install if you require encrypted-at-rest storage unless you add/enforce encryption yourself. - SKILL.md claims local encrypted storage, but the code does not encrypt secrets—this is a false claim. Treat stored passwords/tokens as plaintext on disk. - The skill sends email text to the configured AI API (ai_api_base). Only set ai_api_base to a trusted provider (and prefer keeping sensitive content off third-party services). If you must use external summarization, prefer a provider you control or one with appropriate privacy commitments. - Prefer OAuth (Outlook/M365) over app passwords when possible. Avoid pasting app passwords into public or untrusted chat channels; the skill’s UX sometimes expects the user to supply passwords via chat which can be insecure. - The web UI exposes an access token and accepts it via query parameter; run the web UI only bound to localhost and avoid port-forwarding to the public internet. Protect <SKILL_DIR>/data and config.json with strict filesystem permissions. - If you need strong assurances (encrypted storage, audited network endpoints), review/modify the code: implement encrypted credential storage, restrict ai_api_base to allowed hosts, and add logging/consent notices before sending email bodies externally. If you’re not comfortable auditing or modifying the code yourself, run the skill in an isolated environment (VM/container) or decline installation.

Review Dimensions

Purpose & Capability: noteThe code (imap, oauth, ai, store, server) implements an email assistant that fetches mail via IMAP and Microsoft Graph and sends content to an AI service for summarization — this matches the skill description. Required binary (node) and npm dependencies (imapflow, better-sqlite3) are coherent. Minor inconsistency: registry metadata said “no install spec” but SKILL.md contains an npm install step; this is likely an authoring mismatch rather than malicious.
Instruction Scope: concernSKILL.md and UI instruct collecting app passwords and OAuth tokens to access users' mailboxes and to send email text to an AI API. The README explicitly claims “local encrypted storage,” but the implementation stores passwords and tokens in plaintext in data/email.db and config.json (store.js and config.js). The skill will send email bodies (or previews) to the configured AI API base — this is expected for summarization but is a sensitive data flow and can leak private email contents to whichever AI endpoint is configured. SKILL.md also suggests guiding users to provide App Passwords via chat (Telegram/WhatsApp/Feishu), which risks exposing credentials in transit or in chat history.
Install Mechanism: noteNo remote arbitrary download is used: SKILL.md includes an npm install step and package.json lists dependencies from npm (imapflow, better-sqlite3). These are standard, traceable packages. better-sqlite3 has native components (prebuilds or build steps), so installation may require a suitable environment (node version, build tools). No suspicious external URLs or extract-from-URL installers were found.
Credentials: concernRegistry declares no required env vars, but config.js supports environment overrides via EMAIL_SKILL_<KEY>. The skill requires user-provided AI API keys (ai_api_key) and optionally Microsoft client id/tenant (ms_client_id, ms_tenant_id). Those credentials are necessary for the stated functionality, but the code stores them locally in plaintext config.json and email.db. Also the ai_api_base is configurable — a malicious or misconfigured base could receive full email content. The number and type of credentials requested (email passwords, OAuth tokens, AI API key) are proportionate to an email summarizer, but the storage method and how users are asked to provide them (chat messages) are not.
Persistence & Privilege: noteThe skill does not request global or always-on privileges (always: false). It persists its own data under <SKILL_DIR>/data (email.db, config.json). The web UI generates and stores a web_token in the config file and accepts the token via cookie or URL query parameter; exposing tokens in query strings can leak via logs if the port is forwarded. The skill does not modify other skills or system-wide settings.