warn
suspicious.prompt_injection_instructions
- Location
- SECURITY.md:14
- Finding
- Prompt-injection style instruction pattern detected.
Email Assistant
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.prompt_injection_instructions
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The agent may read sensitive inbox and sent-mail content from any configured account exposed by the chosen email tool, and some of those tools may also have write or send capabilities.
Why it was flagged
The skill would use whatever email accounts and credentials are already available through local tools, but the artifacts do not clearly limit access to a specific account, folder, or read-only scope.
Skill content
Email access is handled through the user's existing email tooling... himalaya CLI — IMAP/SMTP access... MCP email servers... gog CLI... Direct IMAP — via shell commands if other tools unavailable
Recommendation
Use a dedicated or least-privilege email profile where possible, specify the account, folders, and date range before each use, and avoid exposing SMTP/send-capable profiles unless truly needed.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
A user may over-trust the skill's safety guarantees and give it broader email access than they otherwise would.
Why it was flagged
The provided artifacts do not show an external audit, enforcement layer, or read-only architecture that guarantees the agent cannot send email; the supported access methods include SMTP-capable tooling.
Skill content
This skill has been audited by the Codex Security Team... The agent cannot send emails. This is an architectural constraint, not a configuration option.
Recommendation
Treat the draft-only and no-exfiltration statements as policy instructions rather than proven technical guarantees; review generated actions and constrain the underlying email tools.
ConcernMedium Confidence
ASI06: Memory and Context PoisoningWhat this means
If the dashboard path is used, sensitive email metadata and draft content could be retained in a persistent database rather than only local files.
Why it was flagged
The companion dashboard design can persist email summaries, sender PII, and draft bodies in a database or cloud-style backend, which expands the data handling beyond the local-only privacy language elsewhere.
Skill content
For users scaling beyond local JSON files to a persistent database (e.g., Supabase PostgreSQL)... email_drafts... draft_body TEXT... Sender emails and names are PII
Recommendation
Keep dashboard/database storage disabled or local unless explicitly needed, require clear opt-in for any cloud backend, enforce row-level security, and avoid storing full email bodies or long-lived drafts.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
The setup process modifies the local workspace and may reveal configured email account information to the agent during checks.
Why it was flagged
Setup asks the agent to run local shell commands that create files, copy a local health-check script, and inspect local email tooling; this is expected for setup but should still be reviewed.
Skill content
Run from the workspace root... mkdir -p email-assistant/data/digests... cp "$SKILL_DIR/scripts/email-health-check.sh" email-assistant/scripts/email-health-check.sh... himalaya account list
Recommendation
Review the setup snippets before running them and run them only in the intended workspace.
Findings (2)
warn
suspicious.prompt_injection_instructions
- Location
- SKILL.md:19
- Finding
- Prompt-injection style instruction pattern detected.