ClawHub

☤CaduceusMail

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent mail/DNS automation, but it asks for powerful Microsoft and Cloudflare access while the reviewed package is missing the core tarball it says it will verify and run.

Treat this as a Review install. Do not provide production Microsoft 365, Exchange, or Cloudflare credentials until the missing caduceusmail tarball is included and scanned, and confirm which OPENCLAW_* variables are actually needed. Use a dedicated least-privilege Entra app and a zone-scoped Cloudflare DNS token, preferably first on a test domain.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill advertises substantial shell, file read, and file write behavior but does not declare permissions, which weakens transparency and any permission-based review or enforcement the platform may rely on. In this context, the skill also handles high-privilege Microsoft and Cloudflare credentials, so undeclared capabilities materially increase the risk of misuse or operator surprise.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The description frames the skill as mailbox/domain automation, but the documented behavior includes unpacking and executing a vendored release, managing local toolchains and state, and forwarding sensitive Entra, Exchange, and Cloudflare secrets into a CLI. That gap is security-relevant because it can cause operators to authorize a much more privileged and invasive execution model than the high-level description suggests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal