ClawHub

Mail Agent

Security checks across malware telemetry and agentic risk

Overview

This Gmail monitor appears purpose-built, but it needs review because it forwards email-derived data to external services and its install step may fetch code that does not match the reviewed artifact.

Review before installing. Confirm the GitHub tag contents match the reviewed code, use a dedicated or clearly selected Google account and credentials file, verify the Telegram chat ID, secure API keys, and only enable LLM classification for inboxes where sending message snippets and summaries to third-party services is acceptable. Plan cleanup of Gmail watch and Pub/Sub resources if you uninstall.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill clearly performs network-capable actions: authenticating to Google Cloud, enabling Gmail/PubSub APIs, installing a remote plugin, and forwarding email-derived notifications to Telegram, yet it does not declare permissions accordingly. Missing permission disclosure weakens consent and review controls, making it easier for a user or orchestrator to invoke a networked skill without understanding its external communications and data flow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that emails are classified with an external LLM and sent to Telegram, but it does not clearly warn users that potentially sensitive email content may leave their environment and be processed by third-party services. In a mail-monitoring plugin, this is a meaningful privacy and data-handling risk because users may enable it on personal or corporate inboxes without understanding the exposure.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The setup instructions tell users to supply a Telegram chat ID, GCP project details, and an LLM API key, but do not include guidance on protecting secrets or avoiding shell history, screenshots, or insecure config storage. This is less severe than direct secret leakage in code, but it can still lead to accidental credential exposure during installation or troubleshooting.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation text is broad enough to match generic requests like 'configure Gmail monitoring' or 'troubleshoot why email alerts aren't arriving,' which can cause the agent to enter a workflow that modifies cloud resources, installs software, and configures inbox monitoring. In this context, over-broad triggering is risky because the skill is not merely informational; it performs high-impact setup steps with persistence and external data forwarding.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill does not prominently warn that setup creates ongoing Gmail inbox monitoring and forwards important email content or summaries to Telegram, an external messaging platform. Because email often contains highly sensitive personal, business, or credential-related data, failing to disclose this monitoring and exfiltration behavior undermines informed consent and can lead to unexpected privacy and compliance violations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill suggests configuring an external LLM API key for email classification without warning that email contents, snippets, or metadata may be transmitted to a third-party AI provider for analysis. In the context of inbox monitoring, this materially increases data exposure because potentially sensitive communications could be sent beyond Google and Telegram to an additional external service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code sends email metadata and up to 500 characters of the email body to a configurable external LLM endpoint for classification. Even if intended for triage, this transfers potentially sensitive mailbox content to a third party without any visible consent, minimization, or policy enforcement in the skill, creating a real privacy and data-governance risk.

Ssd 3

Medium
Confidence
98% confidence
Finding
The request body includes sender, subject, and a slice of the email body in a prompt to an external LLM service. Because email content often contains credentials, financial details, personal data, or internal business information, this is a direct sensitive-data disclosure path beyond the user's mailbox environment.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill forwards sender, subject, and an LLM-generated summary of email contents to Telegram, which exposes private mailbox information in a separate messaging channel. This increases the attack surface because Telegram chats may be accessible on multiple devices, retained externally, or visible to unintended recipients if the chatId is misconfigured or the Telegram account is compromised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal