ClawHub

Xena Protocol

Security checks across malware telemetry and agentic risk

Overview

This Gmail phishing skill is mostly coherent, but it needs Review because it can alter inbox state, automatically publish blockchain reports, and stores its reporting wallet key insecurely.

Install only if you are comfortable granting Gmail read/modify access, allowing background inbox scans, and using Reporter mode with automatic Sepolia on-chain reports. Prefer Watcher mode unless you explicitly want blockchain reporting, and do not fund or reuse the generated wallet for anything else.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
97% confidence
Finding
The skill declares no explicit permissions while instructing the agent to access environment secrets, read and write local config files, invoke shell commands, access Gmail over the network, and submit blockchain transactions. This is dangerous because users and the host platform may not realize the true privilege scope, undermining informed consent and any permission-gating the platform expects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The advertised behavior focuses on phishing detection with optional hashed reporting, but the skill also generates and stores a private key, waits for wallet funding, stakes funds, can unstake, modifies mailbox state, and performs setup/dependency checks. That mismatch is security-relevant because users may authorize an email-scanning skill without realizing it will manage credentials, hold funds, and perform autonomous on-chain writes.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill can modify Gmail state by removing the UNREAD label, which exceeds a read-only scanning/reporting expectation in the description. In a security scanning context, silently changing mailbox state can hide messages from the user, interfere with workflows, and reduce trust because potentially malicious emails may be marked as handled without explicit consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The CLI docstring states that unread Gmail messages are marked read after processing, but the implementation never performs that action. In a security-monitoring skill, this discrepancy is dangerous because operators may trust the documented side effects and design workflows around them, causing repeated rescans, duplicate handling, alert fatigue, or missed triage assumptions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The setup flow tells users to grant Gmail read/modify access even though the skill is described primarily as scanning for phishing. Requesting modify scope expands the blast radius from passive analysis to the ability to alter or delete mailbox contents, which is excessive unless clearly justified and disclosed.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The deployed contract interface includes stake() and unstake() functions plus staking-related state and events, which materially exceed the skill’s stated optional phishing-report submission purpose. Even if these functions are legitimate for registry participation, exposing value-moving and lockup mechanics in a skill centered on Gmail phishing detection creates hidden financial behavior and expands the attack surface for unintended wallet interactions, fund lockup, or deceptive prompting.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The registry ABI exposes broader account, reporter, recipient, reward-pool, and report enumeration capabilities than the description suggests, indicating functionality beyond a simple optional hashed-report submission flow. This mismatch is dangerous because users may authorize interactions with a contract that can participate in a wider economic/reporting system than advertised, undermining informed consent and making abuse or confusing wallet prompts more plausible.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The heartbeat instructs the agent to automatically remove the UNREAD label after processing each message, which changes user mailbox state during a background cycle without any explicit warning or consent language in this file. In a security-monitoring skill this may be operationally convenient, but it can still hide messages from the user's normal unread triage flow, cause missed review, and make autonomous behavior less transparent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that the agent wallet private key is stored in ~/.openclaw/phishing-detection/config.json, which places a sensitive blockchain secret in a predictable plaintext local file. If the host is compromised, backups are exposed, file permissions are lax, or another local process/user can read that path, an attacker could steal the key and perform unauthorized blockchain actions from the reporter wallet.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad activation terms like 'email security', 'phish', 'spam', or patterns such as 'check.*(email|inbox)' can trigger the skill during ordinary conversation, causing unintended inbox access or setup flows. In this context that is more dangerous because the skill can read Gmail content, write local config, and potentially initiate blockchain-related actions after activation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs automatic scanning of Gmail inbox contents but does not foreground a clear privacy warning about reading potentially sensitive email bodies and metadata. Because inbox content commonly includes financial, personal, and corporate secrets, silent or background scanning materially raises privacy and data-handling risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
Reporter mode auto-submits hashed identity reports to an on-chain registry without a clear recurring warning that this is an external, effectively irreversible publication event. Even if the data is hashed, linking domain, platform, category, confidence, and transaction timing can expose user behavior and create reputational or false-reporting consequences that cannot be easily undone.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Accepting a blockchain private key as a command-line argument exposes it through shell history, process listings, logs, and crash reports. In the skill context this is especially dangerous because the command performs staking, so a leaked key can directly lead to wallet compromise and fund theft.

Missing User Warnings

High
Confidence
99% confidence
Finding
The generated wallet private key is written in plaintext to a local JSON config file under the user's home directory. If that file is read by other local users, malware, backups, sync tools, or support tooling, the wallet can be fully compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest exposes payable and state-changing methods including reportIdentity(), stake(), and unstake() without clear user-facing warning that these actions can cost ETH, alter on-chain state, trigger cooldowns, or be irreversible. In the context of a Gmail phishing-detection skill, hidden transaction prompts are especially risky because users are primed to trust the tool for safety and may not expect wallet-draining or value-locking operations.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill instructs reading a stored wallet private key from a local config file and passing it on the command line to subprocesses. Command-line arguments are commonly exposed via process listings, shell history, logs, crash reports, or telemetry, which can leak the key and allow an attacker to control the wallet and any staking/reporting funds.

Ssd 3

Medium
Confidence
89% confidence
Finding
The docstring states the LLM-driven wizard may ask the user to paste a Gmail account and then orchestrates setup around that identifier and stored config. In a privacy-sensitive email-scanning skill, encouraging repeated handling of personal account identifiers by an LLM-mediated flow increases unnecessary data exposure and normalization of sharing sensitive account details.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**Watcher mode**: stop here. No on-chain action. Log the event.

**Reporter mode — AUTO-SUBMIT**: do NOT ask the user. Submit the report
immediately using the agent wallet:

    python -m bin.registry_client.report_identity \
Confidence
95% confidence
Finding
do NOT ask the user

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal