ClawHub

Qq Mail Monitor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a genuine QQ Mail monitoring skill, but it deserves review because it can access private email, reveal verification codes, send mail, and run recurring checks with weak safeguards.

Review carefully before installing. Use a dedicated revocable QQ Mail authorization code, avoid storing it directly in shared script files, disable or limit TTS in shared spaces, require explicit confirmation before reading messages, revealing verification codes, or sending email, and verify any cron job can be paused or removed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documentation describes scripts that read mailbox contents, write a local state file, and access external mail servers, yet there is no declared permission model or explicit capability disclosure. This creates a transparency and consent problem: a user or platform may invoke a skill with broader effective access than expected, including access to sensitive email metadata and local files.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The publishing guide markets automatic email monitoring, sending, and TTS announcements but does not require any user-facing disclosure about privacy risks, mailbox access scope, or local audio disclosure. In an email-monitoring skill, missing warnings can lead to unintended exposure of sensitive message contents, verification codes, or personal data to the user environment or nearby listeners.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The suggested promotional copy explicitly highlights verification-code extraction and auto-reply, which are sensitive behaviors, but provides no corresponding warning about security, abuse potential, or user consent. In context, this can normalize risky deployment patterns that expose one-time codes, automate responses without review, or encourage users to process sensitive communications without appropriate safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes real-time monitoring and TTS playback of email subjects and senders but does not clearly warn that this can disclose sensitive information to nearby people or through visible notifications. In an email-monitoring skill, this omission materially increases privacy risk because verification codes, sender identities, and sensitive subject lines may be exposed in shared environments.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases such as '现在检查邮件', '暂停邮件监控', and '修改邮件提醒方式' are broad and do not define authentication, confirmation, or scope boundaries. In an agent environment, overly permissive natural-language triggers can enable unintended execution of privacy-sensitive actions or reconfiguration through ambiguous or injected instructions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill handles highly privacy-sensitive data, including email subjects, senders, possible verification codes, and potentially attachments, but the description does not prominently warn users about this data exposure. Without explicit privacy notice and consent language, users may not understand that mailbox metadata and contents can be processed, spoken aloud via TTS, stored, or transmitted.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script encourages direct embedding of mailbox credentials in source code via module-level constants. In practice, users often replace these placeholders with real secrets and then leave them in files, shells, logs, backups, or version control, which can expose full mailbox access if the authorization code is leaked.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal