Unified Mailbox Ai

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to monitor email, but it gives automated AI workflows broad mailbox/calendar access and ongoing Telegram notification authority that users should review carefully before installing.

Install only if you are comfortable with an automated agent reading configured Outlook/Gmail mail and calendars, sending summaries to Telegram, and running on a schedule. Review the OAuth scopes, avoid broad write/send permissions if possible, be cautious with ~/.bashrc and cron defaults, and use this only on accounts where external AI processing and Telegram delivery are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import

Findings (17)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: Emails: {email_summary}""" result = subprocess.run([ OPENCLAW_BIN, 'agent', '--message', message, '--deliver',
Confidence: 91% confidence
Finding: result = subprocess.run([ OPENCLAW_BIN, 'agent', '--message', message, '--deliver', '--to', TELEGRAM_USER ])

Tainted flow: 'message' from os.environ.get (line 313, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: Emails: {email_summary}""" result = subprocess.run([ OPENCLAW_BIN, 'agent', '--message', message, '--deliver',
Confidence: 94% confidence
Finding: result = subprocess.run([ OPENCLAW_BIN, 'agent', '--message', message, '--deliver', '--to', TELEGRAM_USER ])

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill declares only tools, but its documented behavior clearly involves sensitive capabilities including environment access, file writes, shell execution, and external network communication to email, calendar, and Telegram services. This mismatch weakens review and consent boundaries because users and orchestrators may underestimate what the skill can do.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose is mailbox monitoring, but the finding indicates additional persistence and system-modifying behaviors such as editing ~/.bashrc, updating ~/.openclaw/openclaw.json, registering across agents, and installing a cron job. Those actions exceed normal mailbox-checking scope and create stealthy persistence, broader execution surface, and lasting configuration changes without clear disclosure or consent.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The installer modifies every agent entry in openclaw.json to add the skill, which is a persistent configuration change beyond simply installing files. Although the script prompts first, this broad registration affects all agents rather than a clearly selected target and can unexpectedly expand the skill’s reach and access surface.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The installer offers to install a cron job that runs the mailbox script every 5 minutes, creating persistent autonomous execution. For a skill that reads mail and sends Telegram notifications, this materially changes risk because it enables unattended background access to sensitive communications on an ongoing basis.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The skill requests broad Outlook scopes including Mail.ReadWrite, Mail.Send, and Calendars.ReadWrite despite primarily presenting as a monitoring/summarization tool. Excess privileges increase blast radius if the script, token cache, or downstream agent is abused, enabling mailbox modification, mail sending, and calendar changes.

Context-Inappropriate Capability

Medium

Confidence: 85% confidence
Finding: The script dynamically locates and executes a generalized openclaw agent binary rather than a narrowly scoped helper for mailbox summarization. In this context, a tool-capable agent materially expands what untrusted email content can cause the system to do, especially because the prompt includes operational instructions.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The code instructs the external agent to fetch Gmail bodies, inspect calendars, and mark emails as notified, which goes beyond passive summarization and notification. Because these actions are delegated through a prompt that embeds attacker-controlled email data, the capability expansion significantly increases risk of unauthorized data access and state changes.

Vague Triggers

Medium

Confidence: 77% confidence
Finding: A broad activation phrase like 'check/monitor email from either or both accounts' can cause the skill to run in situations where the user did not intend cross-account access or notification behavior. In a skill that reads mailbox contents and may send Telegram messages, accidental invocation increases privacy and data-exposure risk.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The 'When to Use' section contains vague triggers like cron-based monitoring and meeting/calendar questions, which may cause autonomous execution beyond a user's immediate request. Because the skill accesses private emails and calendars and can notify via Telegram, ambiguous triggers raise the chance of over-collection and unintended disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill description omits a clear warning that email-derived content may be sent to Telegram, an external messaging platform. Since emails can contain sensitive personal, financial, or corporate information, summarizing or forwarding content without prominent disclosure creates a significant confidentiality risk.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The installer writes user-provided identifiers like Telegram chat ID and Gmail account into openclaw.json and optionally into ~/.bashrc without an explicit warning about persistence, visibility to local users/processes, or privacy implications. This is not an exploit by itself, but it unnecessarily increases exposure of personal identifiers and makes the system state less transparent.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script serializes email metadata and previews into a prompt and sends the resulting notification through an external AI/Telegram flow without an explicit consent or disclosure checkpoint. This can expose sensitive correspondence details to third-party processing and a messaging channel that may not be appropriate for all mail contents.

Ssd 3

High

Confidence: 97% confidence
Finding: The prompt explicitly tells the external agent to fetch full Gmail bodies and include summaries in a Telegram notification, which can disclose private email contents outside the mailbox provider. In a mailbox-monitoring skill, this context makes the issue more dangerous because incoming emails routinely contain secrets, personal data, and business-sensitive information.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - User asks about meeting invitations or calendar conflicts ## Credentials Accounts are pre-configured via environment variables. **Do not ask the user for credentials. Just run the scripts directly.** ---
Confidence: 86% confidence
Finding: Do not ask the user

Session Persistence

Medium

Category: Rogue Agent
Content: description: Unified mailbox AI for both Outlook and Gmail. Checks unread emails, summarizes new mail with AI, detects meeting invitations, checks calendar conflicts on both Outlook and Google Calendar, and sends Telegram notifications. Use when asked to check/monitor email from either or both accounts. homepage: https://github.com/L1TangDingZhen/email-monitor license: MIT allowed-tools: Bash Read Write metadata: {"openclaw":{"emoji":"📧","requires":{"bins":["python3"],"env":["EMAIL_MONITOR_TELEGRAM_USER"],"optionalBins":["gog"],"optionalEnv":["MS_GRAPH_ACCESS_TOKEN","EMAIL_MONITOR_GMAIL_ACCOUNT"]}}} --- # Unified Mailbox AI
Confidence: 72% confidence
Finding: Write metadata: {"openclaw":{"emoji":"📧","requires":{"bins":["python3"],"env":["EMAIL_MONITOR_TELEGRAM_USER"],"optionalBins":["gog"],"optionalEnv":["MS_GRAPH_ACCESS_TOKEN","EMAIL_MONITOR_GMAIL_ACCOUNT

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal