ClawHub

iClawd Email

Security checks across malware telemetry and agentic risk

Overview

The skill is a real email integration, but it instructs agents to expose long-lived email credentials through chat or full config sharing.

Install only if you intentionally want an agent-controlled external email account. Do not allow the agent to paste API keys, config files, or PGP private keys into chat; store them locally with restrictive permissions or in a secret manager. Require explicit approval before external sends, service signups, webhook setup, or irreversible inbox deletion, and prefer the reviewed ClawHub package over live remote instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The setup flow explicitly tells the agent to share its credential file with the owner immediately after creation, even though that file contains the API key and may also contain private PGP keys. In agent environments, 'share with your owner' can be interpreted through natural-language chat or other uncontrolled channels, creating a direct secret-exfiltration path and undermining the surrounding security guidance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly tells users to have an agent fetch and execute setup instructions from a remote URL, then create an inbox and begin sending/receiving email over an HTTP API. This creates a trust-on-first-use problem and can lead to unreviewed network access, account creation, credential handling, and external data transmission by the agent without clear user acknowledgement or review of the fetched skill contents.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The markdown tells the agent to share private credentials with the owner but does not enforce a safe disclosure mechanism at the point of instruction. Because many agent systems cannot strongly authenticate who the 'owner' is in chat, this creates a realistic prompt-driven leakage route for secrets.

Ssd 3

High
Confidence
98% confidence
Finding
The credential file text says the agent may show the config, credentials, or API key in direct chat because the person chatting directly is the owner. That assumption is unsafe: chat identity may be spoofed, relayed, logged, or exposed to other tools, so this instruction normalizes disclosure of high-value secrets through natural language.

Ssd 3

High
Confidence
95% confidence
Finding
The setup section says that after creating the inbox, the agent should save everything locally and share it with the owner. Since 'everything' includes the API key and possibly private keys, this introduces an explicit secret disclosure workflow as part of normal setup.

Ssd 3

High
Confidence
97% confidence
Finding
Instructing the agent to immediately share the full config file creates a built-in natural-language exfiltration path for API keys and any stored private material. The surrounding context makes this more dangerous because the skill is specifically about external communications, so compromise of the mail credential enables impersonation, message access, and further phishing or account recovery abuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal