ClawHub
Back to skill

Security audit

Email Assistant

Security checks across malware telemetry and agentic risk

Overview

This email assistant is not clearly malicious, but it asks for broad mailbox access and persistent email-derived profiling with insufficient consent and scope controls.

Install only if you are comfortable with the agent reading inbox content and some sent-mail history. Use a dedicated or least-privilege email profile where possible, confirm the exact account and folders before first use, disable historical style analysis unless you want it, and avoid enabling the dashboard/database path until privacy notices, retention/deletion controls, and RLS write checks are tightened.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Intent-Code Divergence

Low
Confidence
79% confidence
Finding
The skill says to read the full email thread for drafting, but elsewhere says attachments must never be opened, downloaded, or executed. Without explicitly excluding attachments from 'full thread' processing, an implementation may ingest attachment content or metadata in unsafe ways, increasing exposure to prompt injection, sensitive-data leakage, or accidental handling of malicious files.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The RLS policies use `FOR ALL USING (auth.uid() = user_id)` but do not add a `WITH CHECK` clause for inserts/updates. In PostgreSQL RLS, `USING` restricts which existing rows are visible or targetable, while `WITH CHECK` constrains the values a user may write; without it, a client may be able to insert rows with another user's `user_id`, creating cross-tenant data integrity and possible confidentiality issues depending on later access paths.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The example states that the agent analyzed the user's last 30 sent emails to infer writing style, even though the visible task is only to draft a reply to a specific email. That implies broader access to historical mailbox data and behavioral profiling without necessity, consent, or clear disclosure, creating an avoidable privacy and over-collection risk.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The installation step tells the user to ask the agent to read and follow instructions from `SETUP-PROMPT.md`, which is a broad natural-language invocation rather than a tightly scoped command. Because it resembles ordinary conversation and delegates execution to another prompt file, it can be triggered or interpreted in unintended ways, increasing the chance the agent follows adversarial or unsafe setup instructions contained in the skill.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The setup prompt instructs the agent to advertise very broad natural-language triggers such as 'What's in my inbox?' and 'Give me an email briefing.' These phrases are common conversational requests and, without a narrowly scoped invocation model or explicit confirmation, could cause the skill to activate unintentionally in contexts where the user did not mean to invoke this specific skill, potentially exposing or acting on sensitive email data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation trigger is broad enough to engage on casual conversation about email, which can grant the skill access to inbox data or initiate email-tool actions without sufficiently clear user intent. In an email-handling skill with access to sensitive communications, unintended activation meaningfully increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Referencing analysis of the user's last 30 sent emails introduces access to privacy-sensitive communications without any warning, consent prompt, or justification in the skill description. In an agent setting, this normalizes silent mailbox mining and can mislead users about the scope of data being accessed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The health check performs a live mailbox connectivity action (`himalaya envelope list --page-size 1`) without prior confirmation, dry-run mode, or a clear warning that it will access the user’s inbox over the network. In an agent skill context, unexpected access to sensitive communications can violate user expectations, trigger privacy concerns, and cause unintended side effects such as logging, telemetry, or server-visible access events.

Ssd 3

Medium
Confidence
93% confidence
Finding
The response reveals detailed contents from the full thread, attachment state, timing, and specific figures beyond the user's request to draft a reply. Exposing or surfacing more private email content than necessary increases the chance of unintended disclosure and shows the skill may access and reproduce sensitive context without minimization.

Ssd 3

Medium
Confidence
95% confidence
Finding
The note implies ongoing collection and reuse of prior emails to personalize responses, suggesting persistent profiling of the user's communication habits. Without transparency, opt-in, and retention boundaries, this creates privacy risk and can expose sensitive patterns about the user's contacts, tone, and work behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal