ClawHub

mailbox-skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent agent mailbox skill, but it lets mailbox metadata and local Markdown steer file writes and message handling without enough boundaries.

Install only in workspaces where you trust the mailbox protocol and can enforce that inbox and reply paths stay inside approved .mailbox/inbox directories. Add a local rule requiring path canonicalization, no arbitrary Markdown overrides, and no cross-sender or cross-channel context sharing without explicit approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to read from and write to workspace mailbox paths, but it does not declare any permissions for those filesystem capabilities. That creates a transparency and policy-enforcement gap: a caller or platform may treat the skill as lower risk than it is, while the skill can still influence file access behavior involving inbox, scratch, and reply paths. In this mailbox context, the omission is more concerning because the protocol explicitly handles inter-agent messages and file delivery, increasing the chance of unintended file access or misuse of attacker-controlled paths.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions explicitly tell the agent to copy a reply message to a mailbox path and then delete the original inbox message, which are state-changing filesystem operations. Although this is core to a mailbox workflow, the document provides no user-facing warning, confirmation step, or guardrails beyond checking that the destination directory exists, so an agent following it could modify or remove files based on untrusted routing metadata.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document gives explicit instructions to create and copy mailbox message files into another agent's inbox, but it does not include any warning that this modifies workspace state or may send data to another agent. In an agent skill context, that omission can cause silent cross-agent side effects, unintended message delivery, or disclosure of sensitive content because the procedure is framed as a routine reference flow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal