ClawHub

Lel Mail

Security checks across malware telemetry and agentic risk

Overview

This is a real email helper, but incoming emails can automatically steer broad agent actions such as memory writes, user contact, and delayed outbound mail.

Review before installing. Use only a dedicated mailbox or tightly scoped app password, protect the local config file, keep can_read and can_send disabled unless needed, avoid enabling the cron sender until the queue behavior is understood, and require manual approval before any email-derived memory write, user contact, or outgoing response.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents capabilities to read/write files, access environment/configuration, use shell scripts, and communicate over the network, but it does not declare permissions or present explicit guardrails. In an email-handling skill, this omission is significant because the skill can access sensitive mailbox contents and send outbound messages, making hidden or unexpected capability use more dangerous.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This is a true vulnerability because untrusted email content is first classified by an LLM and then used to trigger broad downstream actions such as writing to memory and contacting the user through arbitrary channels. That creates an agentic prompt-injection path where an external sender can indirectly influence persistent state and communications far beyond simple email processing.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This is a real capability-escalation issue: a mail-processing script instructs a general agent to inspect memory banks, read user files, discover contact channels, and initiate communication. A malicious email sender could therefore trigger actions that traverse unrelated data stores and communication paths, violating least privilege and expanding blast radius.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Invoking a general-purpose agent subprocess on raw email content is risky because the model output determines subsequent control flow, yet the subprocess is not constrained to a hardened classifier interface. This increases exposure to prompt injection and unexpected behavior compared with a local deterministic parser or tightly scoped classification API.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description is broad and enables reading email, writing memory from email contents, notifying users, and responding, without narrowly defining triggers or requiring explicit user authorization boundaries. That increases the chance the agent invokes the skill in contexts where sensitive mailbox access or outbound communication was not clearly intended.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill explicitly supports automatic email-triggered actions, memory writes based on email contents, and sending responses, but the documentation does not clearly warn users about privacy, autonomy, and prompt-injection risks from processing untrusted email content. In this context, incoming email is adversarial input, so automatic action based on it can lead to data leakage, unwanted persistence, or unauthorized outbound communications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The quick-reference steps tell the operator to check a user's email by running a script, but they omit a clear privacy warning that mailbox contents may include highly sensitive personal, financial, or authentication data. Missing that warning makes accidental overcollection or unauthorized review more likely.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The queue management section describes deleting pending outgoing emails without clearly warning that this is destructive and may cancel legitimate communications. In an operational workflow, undocumented destructive actions can be abused or triggered accidentally, causing loss of important messages or interfering with user intent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The script sends full email subject, sender, and body content to an external LLM agent without notice or confirmation, which can expose sensitive personal, business, or credential-related information. In an email-processing context this is especially dangerous because inbound mail commonly contains confidential data from third parties who did not consent to external model processing.

Missing User Warnings

High
Confidence
97% confidence
Finding
This code performs autonomous actions after processing email, including file writes and user contact, without explicit confirmation. That makes untrusted inbound email an indirect trigger for persistent changes and outbound communications, which can be abused for spam, misinformation, data pollution, or social-engineering amplification.

Ssd 3

High
Confidence
95% confidence
Finding
The script explicitly instructs the agent to log email-derived information into user or shared memory files, which can leak sensitive content into broader contexts and contaminate future agent reasoning. Because the content originates from external email, an attacker can intentionally seed false, manipulative, or private data into persistent storage.

Ssd 3

High
Confidence
98% confidence
Finding
These instructions direct the agent to search memory banks and user files and then contact the user via any available or new channel. This combines unnecessary data access with outbound communication authority, enabling email-triggered privacy violations and cross-channel escalation from a low-trust input source.

Ssd 3

High
Confidence
97% confidence
Finding
This path chains together contact discovery, relaying response details, and sending a follow-up email, all based on LLM interpretation of inbound email. That creates a strong prompt-injection and abuse surface where an attacker can manipulate both internal communications and external email responses through a single crafted message.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: lel-mail
description: Send and read email via a combination of python and bash scripts which makes use of the main agent for reasoning and logic. This skill enables the agent to write to memory based on contents in the email and to reach out to the user either to notify them of happenings or to request inputs to respond. This skill also contains a python script to read and manage the email queue containing functionality to list pending outgoing emails and delete emails before they can be sent out. Please note that this skill enables the agent to act upon received emails by adding to agent memory and sending responses
metadata: {"clawdbot":{"emoji":"📧","requires":{"bins":["python3"]}}}
---
Confidence
94% confidence
Finding
write to memory based on contents in the email and to reach out to the user either to notify them of happenings or to request inputs to respond. This skill also contains a python script to read and ma

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal