Skillv0.1.1

ClawScan security

Thunderbird · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 10:12 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with its stated purpose of reading and searching local Thunderbird profile data; it asks for no external credentials or installs and only accesses profile files on disk.
Guidance: This skill legitimately reads local Thunderbird profile files (prefs.js, mail folders/caches) and can extract message bodies and attachments. Before installing or letting an agent use it, be aware that it will expose email content from any profile it can access — sensitive personal or corporate data may be read. The skill does not request external credentials or perform network exfiltration in the provided code, but review and test the script in a safe environment if you have privacy concerns, and avoid running it under an agent with broad filesystem access unless you explicitly trust it. If you want stricter control, run the script manually (not via an autonomous agent) and point it at a single profile path rather than allowing automatic profile discovery.

Purpose & Capability: okName/description match the included CLI script and README: the skill locates Thunderbird profiles, parses prefs.js, reads mbox/Maildir under Mail/ and ImapMail/, and can list/search messages and attachments — all expected for an offline Thunderbird inspector.
Instruction Scope: okSKILL.md instructs running the bundled Python script and documents the exact files/paths used (prefs.js, Mail/, ImapMail/, mbox/maildir). The instructions do not request unrelated files, network calls, or hidden endpoints. The script can save attachments to disk when the user supplies --save-attachments (expected behavior).
Install Mechanism: okNo install spec — instruction-only with a bundled Python script. Nothing is downloaded or written to disk by an installer; risk from install mechanism is minimal.
Credentials: okThe skill declares no required environment variables or credentials. The code reads APPDATA from the environment to find Windows profile roots, which is appropriate for locating Thunderbird data and is proportionate to the purpose.
Persistence & Privilege: okalways:false and no requests to modify other skills or agent-wide config. The skill runs on demand and does not request permanent elevated presence.