ClawHub

Gmail Integration

Security checks across malware telemetry and agentic risk

Overview

This Gmail skill is not clearly malicious, but it asks users to trust a sensitive email integration whose authentication and action boundaries are under-specified and partly misleading.

Install only after treating it as a Review item: use a dedicated, least-privilege Google OAuth client, do not expose the client secret in code or prompts, verify the OAuth implementation before connecting a real account, and require explicit review before any email is sent or labels are changed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares use of sensitive capabilities through environment variables and implied network access to Gmail, but does not explicitly declare permissions for those operations. Missing permission metadata weakens user awareness and platform enforcement, increasing the chance that a user enables a skill without understanding it can access secrets and communicate externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented behavior does not cleanly match the described functionality, especially around mailbox reading and the claim of full OAuth2 support. Security-relevant mismatches can mislead users about what data the skill accesses and how authentication is handled, causing them to grant trust or credentials under false assumptions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill advertises full OAuth2 support, but the implementation never performs an OAuth flow, never obtains or refreshes tokens, and never attaches an Authorization header to Gmail API requests. This creates a misleading security boundary: users or upstream systems may believe Gmail actions are properly authenticated and scoped when they are not, leading to broken auth behavior and potentially unsafe integration assumptions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill promotes inbox listing and email sending but omits a clear warning that it may access mailbox contents and transmit email data to Google's API. Without a prominent privacy warning, users may expose sensitive communications or metadata without informed consent, which is especially risky for an email-integrated skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions describe email-sending capability but do not warn that the skill can send messages to external recipients and process user email data via Gmail OAuth. This increases the risk of unintended disclosure, accidental outbound communication, and user surprise about the scope of access being granted.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal