ClawHub

tencent-exmail

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Tencent Exmail automation skill, but installing it gives OpenClaw access to read, send, modify, and monitor email.

Install only for a Tencent Exmail account where OpenClaw may read, send, modify, and monitor mail. Prefer a client-specific authorization code, verify recipients and attachments before sending, confirm move/delete-like actions, store downloaded attachments and hook files in protected locations, and stop any background watcher when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly uses sensitive capabilities: environment secrets for mailbox credentials, network access to external mail servers, and local file writes for attachments and hook-file output, yet it declares no permissions. This creates a transparency and policy-enforcement gap: users or hosting systems may approve the skill without understanding that it can access credentials, send/receive mail, and write files locally.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script exposes mailbox-modifying capabilities in a file presented as a read/search tool, including marking messages and moving them with delete+expunge semantics. This mismatch increases the risk that a caller or agent invokes destructive actions without user awareness, causing unintended mailbox state changes or data loss.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The docstring advertises only receiving, reading, searching, and downloading attachments, but the implementation also marks messages read/unread and moves mail. In an agent skill context, inaccurate capability descriptions are dangerous because orchestration layers and users may grant trust to a tool they believe is non-destructive.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger description is extremely broad and is likely to activate on nearly any email-related request. Over-broad invocation can cause the skill to handle requests unexpectedly, increasing the chance of unintended mailbox access, email sending, attachment handling, or background monitoring when the user did not explicitly intend to use this specific skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown documents saving attachments and writing JSON hook files locally, but it does not provide a prominent warning about filesystem side effects, overwrite risk, sensitive content landing on disk, or safe destination constraints. In an email skill, attachment and metadata writes are particularly sensitive because they may persist confidential documents or message details in user-accessible locations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The move operation performs COPY followed by setting \Deleted and expunging, which permanently alters mailbox contents. Without an explicit warning or confirmation, an agent or user may treat this as a harmless organizational action when it can irreversibly remove messages from the source folder.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
In quiet mode, the script can continue collecting and writing new email metadata to a JSON file without any runtime terminal output, which reduces user awareness that monitoring and local persistence are occurring. Because the data includes sender, subject, timestamp, folder, and message UID, this can leak sensitive business communications to local disk or downstream consumers with little visibility.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal