ClawHub

OpenClaw Offer Radar

Security checks across malware telemetry and agentic risk

Overview

The skill largely matches its Gmail-to-Apple-Reminders purpose, but it includes under-disclosed reminder deletion and bulk-clear commands that users should review before installing.

Install only if you are comfortable granting this workflow access to the intended Gmail account, Apple Mail, and Apple Reminders. Run scan-only first, keep writes limited to a dedicated OpenClaw reminders list, avoid invoking clear-list or sync-plan --clear unless you intentionally want that list emptied, and enable recurring automation only after verifying the output.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_json_shell(command: str) -> Any:
    proc = subprocess.run(
        ["zsh", "-lc", command],
        capture_output=True,
        text=True,
Confidence
97% confidence
Finding
proc = subprocess.run( ["zsh", "-lc", command], capture_output=True, text=True, encoding="utf-8", errors="replace", )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_bridge(cmd: list[str]) -> subprocess.CompletedProcess[str]:
    return subprocess.run(
        [sys.executable, str(REMINDERS_SCRIPT), *cmd],
        capture_output=True,
        text=True,
Confidence
95% confidence
Finding
return subprocess.run( [sys.executable, str(REMINDERS_SCRIPT), *cmd], capture_output=True, text=True, encoding="utf-8", errors="replace", )

Tainted flow: 'REMINDERS_SCRIPT' from os.environ.get (line 23, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
def run_bridge(cmd: list[str]) -> subprocess.CompletedProcess[str]:
    return subprocess.run(
        [sys.executable, str(REMINDERS_SCRIPT), *cmd],
        capture_output=True,
        text=True,
Confidence
99% confidence
Finding
return subprocess.run( [sys.executable, str(REMINDERS_SCRIPT), *cmd], capture_output=True, text=True, encoding="utf-8", errors="replace", )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes shell commands and implies file/env access, but it declares no permissions or trust boundaries. This creates a hidden-capability problem: users or the platform may authorize a seemingly harmless mail/reminder workflow without realizing it can execute local scripts and access local mail/reminder data, increasing the chance of over-privileged execution and abuse.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file exposes generic delete and bulk-clear capabilities for Reminders, which exceed the skill's described purpose of converting recruiting emails into reminders. Even if not malicious, this broadens the blast radius: any misuse, prompt-influenced call path, or integration bug could remove unrelated user reminders rather than only creating/updating the intended items.

Description-Behavior Mismatch

Low
Confidence
75% confidence
Finding
The code supports enumerating all reminders in a list, which is broader than the stated email-to-reminder synchronization purpose. This creates unnecessary access to user task metadata and increases privacy exposure if the skill or upstream agent can invoke this command on arbitrary lists.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Using zsh to run Gmail queries gives the skill a general shell execution capability that exceeds the narrow task of syncing recruiting reminders. Even if not immediately exploitable, this broader capability raises the blast radius of any future input-handling mistake and is unnecessary for the stated functionality.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill fetches full email bodies from Apple Mail, which expands data access beyond a simple Gmail search-to-reminder transform and exposes sensitive message content. In context, recruiting emails may include links, schedules, candidate details, and other private data, so the additional mailbox access materially increases privacy risk.

Description-Behavior Mismatch

Low
Confidence
81% confidence
Finding
The implementation persists detailed source metadata, review records, sender info, subjects, and thread identifiers rather than only reminder content. This creates unnecessary local retention of sensitive recruiting-mail metadata, increasing privacy exposure if the state file is accessed by other local users or software.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger text uses broad natural-language phrases such as checking interview-related email or syncing reminders, which can match ordinary user conversation and cause the skill to activate unexpectedly. In this skill's context, accidental activation is more dangerous because activation leads to scanning Gmail and potentially modifying Apple Reminders, exposing sensitive recruiting data or causing unintended writes.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The default prompt instructs the agent to broadly inspect 'recent Gmail recruitment emails' without clear bounds on timeframe, sender scope, or confirmation before processing and syncing content. In a skill that reads email and writes to Apple Reminders, this can cause over-collection of sensitive mailbox data and unintended action on emails beyond what the user specifically meant.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Single-reminder deletion is destructive and occurs without any built-in confirmation, dry-run mode, or ownership check. In an agent context that processes untrusted content and automation plans, that makes accidental or unauthorized removal of reminders more plausible.

Missing User Warnings

High
Confidence
97% confidence
Finding
`clear_list` deletes every reminder in the specified list in a loop with no confirmation or safety checks. In this skill context, that is especially dangerous because automation intended to sync recruiting emails could wipe a user's entire reminders list if the wrong list name is supplied or influenced.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code silently reads full message bodies from Apple Mail without any user-facing disclosure or consent mechanism. Because the skill handles personal recruiting correspondence, the undisclosed mailbox access is a meaningful privacy issue even if it is intended for feature completeness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal