ClawHub

Email Migration Toolkit

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate email migration helper, but it handles email credentials and includes unsafe password and TLS examples that should be reviewed before use.

Install only if you are comfortable reviewing and controlling the migration steps yourself. Prefer temporary app passwords or OAuth where available, enter passwords interactively rather than on the command line, keep SSL/TLS certificate validation enabled, avoid no-SSL testing except in isolated diagnostics, encrypt exported mailbox archives, and revoke migration credentials after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill description materially overstates what the toolkit does versus the referenced behavior, including claims of universal migration, backup/export coverage, and broad provider support while apparently only implementing IMAP testing and mailbox enumeration. This mismatch is dangerous because users may trust it with sensitive email credentials and mailbox access under false assumptions, increasing the chance of unintended data exposure, unsafe operation, or misuse of a tool that performs more limited but still sensitive actions.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file gives contradictory TLS guidance: the Gmail client configuration says 'Server Certificate: Accept' while the security section later tells users to verify server certificates. In practice, telling users to blindly accept certificates can normalize bypassing certificate validation and expose credentials to man-in-the-middle attacks during IMAP/SMTP setup or migration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions direct users to handle app passwords, IMAP access, mailbox copying, and migration validation for highly sensitive email data, but they do not prominently warn about credential handling, privacy exposure, possible data loss, or rollback requirements. In the context of email migration, this is more dangerous because mistakes can expose entire mailboxes, corrupt folder state, or cause irreversible partial migrations across personal or enterprise accounts.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This guide instructs users to export complete mailbox contents and use app passwords or admin export capabilities, but it omits basic safeguards for handling highly sensitive email data and credentials. In an IT migration context, that omission can lead to exposed archives, mishandled app passwords, or overbroad admin exports that create confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to run a script with the mailbox password as a positional command-line argument, which can expose credentials through shell history, process listings, logging, and remote session transcripts. In the context of an email migration toolkit used by IT staff, this is more dangerous because the credentials may belong to production mailboxes and could grant broad access to sensitive communications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script accepts the IMAP password via the --password command-line flag, which can expose credentials through shell history, process listings, audit logs, or job runner telemetry. In an email migration context, these credentials may grant broad mailbox access, so accidental disclosure can compromise sensitive communications and enable account takeover or large-scale data exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accepts a password via the --password command-line argument, which can expose credentials through shell history, process listings, audit logs, and orchestration tooling. In an email migration context, those credentials may grant full mailbox access, so accidental disclosure can compromise sensitive communications and account data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal