ClawHub

Email Outreach Automation

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it claims, but it needs review because it can automatically send cold emails and has weak webhook controls.

Install only after adding controls: remove the default secret fallback, authenticate both webhooks, use a dedicated SMTP account and scoped Google Sheet, add send limits and campaign approval, enforce unsubscribe/suppression handling, and test with a small non-production list before enabling schedules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill documents bulk cold-email outreach, reply tracking, and prospect storage/analytics without any privacy, consent, anti-spam, or data-handling warning. In this context, the omission materially increases the risk of misuse against external recipients and improper processing of personal data, even if the file is not directly executing code.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples place a shared secret directly in the JSON request body and do not warn that such values can be exposed through logs, history, screenshots, client code, or intermediary systems. If reused in production, an attacker who obtains the secret could submit unauthorized imports or spoof reply events to manipulate outreach state and notifications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The secret check falls back to the hardcoded default string 'YOUR_OUTREACH_SECRET' when the environment variable is unset. If deployment occurs without properly setting OUTREACH_SECRET, an attacker who can guess or recognize this placeholder can bypass authentication and submit arbitrary prospect data into the system.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow sends emails automatically from spreadsheet data and then mutates prospect status with no built-in confirmation, approval step, or disclosure boundary in the workflow. In this skill context, that is more dangerous because the stated purpose is production-ready cold outreach automation, so importing or mislabeling contacts can immediately trigger unsolicited bulk email activity and persistent CRM state changes.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The workflow exposes a public POST webhook at `outreach/reply` with no visible authentication, signature verification, caller restriction, or shared-secret validation. An attacker can submit forged reply events to mark arbitrary prospects as replied, pollute CRM data, trigger internal notification emails, and potentially cause workflow abuse or alert spam; in an outreach automation context this is more dangerous because webhook data directly drives business state changes.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow forwards untrusted reply contents, including subject and message body, to an admin email address without any minimization, consent, or warning in the workflow. This can leak sensitive personal or business information from replies to additional recipients and systems, and because the content is attacker-controlled it also increases risk of HTML/email content abuse, internal phishing-style notifications, or storage of unnecessary sensitive data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal