ClawHub

Email Webhook

Security checks across malware telemetry and agentic risk

Overview

This is a real email webhook skill, but it handles sensitive email content and has several under-disclosed behaviors users should review before running it publicly.

Install only if you are comfortable running a public Node HTTPS webhook that stores raw emails locally and wakes an agent. Use a strong WEBHOOK_SECRET, set OPENCLAW_AGENT_ID, restrict network exposure, rotate or protect inbox.jsonl, configure an explicit safe notification channel, and review the undeclared gateway token use plus automatic public-IP diagnostics before deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill metadata declares runtime requirements and installation steps but does not declare permissions/capabilities even though it clearly needs environment access and network exposure. That gap can mislead users and policy engines about what the skill will do, reducing informed consent and weakening review controls for a network-facing webhook receiver.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose says the skill receives email webhooks and wakes the agent, but the behavior also includes retaining raw email content locally and reportedly performing certificate generation and external network/public-IP checks. Hidden or under-disclosed behaviors are dangerous because they expand the attack surface, may leak sensitive metadata externally, and prevent users from understanding the privacy and exposure implications of deploying a public webhook service.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill performs outbound discovery of the host's public IP and probes its own externally reachable port, behavior that is not necessary to receive email webhooks or wake the agent. This leaks deployment metadata to third parties and adds unsolicited network activity that can surprise operators and violate least-functionality expectations for a webhook receiver.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The startup diagnostic makes outbound requests to api.ipify.org and then to the server's public IP, which expands the skill's behavior beyond its stated purpose. Even if intended as convenience, hidden network diagnostics increase attack surface, create external data disclosure about the host, and may be unacceptable in restricted or privacy-sensitive environments.

Vague Triggers

Medium
Confidence
78% confidence
Finding
A broad activation description for a skill that can receive external webhooks and wake the agent increases the chance of unintended invocation or over-broad matching. In context, this is more dangerous because the skill is network-facing and triggers immediate agent activity, so accidental activation could create unnecessary exposure or user confusion.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to relay inbound email details over the user's last active channel, potentially disclosing private email content across unrelated platforms without explicit consent. This context makes the issue more serious because emails often contain sensitive personal or business data, and cross-channel forwarding can violate confidentiality expectations and create secondary data exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal