Create And Use New Agent Email Address

Security checks across malware telemetry and agentic risk

Overview

This is a coherent email-gateway skill that does sensitive but expected email-account actions, including saving tokens, sending mail, and configuring forwarding.

Install only if you want the agent to manage this Crustacean/OpenClaw mailbox. Protect the local token file like a password, review send recipients and forwarding destinations carefully, and remember that forwarding can persist future inbound mail to an external address without destination verification.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill directs the agent to use network, shell, file read/write, and environment-variable capabilities but does not declare permissions or boundaries for those actions. This increases the chance of the agent performing sensitive operations such as reading identity material and storing bearer tokens without transparent authorization or policy enforcement.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The code writes the private key to disk and invokes an external process to use it, expanding the attack surface to local filesystem exposure, process-level inspection, and dependency hijacking of the OpenSSL executable. While the behavior appears functionally related to identity registration, it is still an avoidable secret-handling weakness rather than obviously malicious behavior.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The invocation scope is broad enough to match common email-management requests, which can cause the skill to trigger in situations where the user did not intend this particular gateway or did not understand that external actions will occur. In an email skill, ambiguous activation is risky because it can lead to sending mail, altering message status, or changing forwarding behavior on the user's behalf.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill specifies a local bearer-token file and instructs the agent to save and reuse tokens, but it does not present a user-facing warning about credential storage. Bearer tokens grant mailbox access, so silent local persistence can expose the account if the filesystem is shared, backed up, or otherwise accessible to other processes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill supports outbound email transmission and mailbox forwarding but does not surface a clear warning to the user about the external-delivery consequences. This is dangerous because forwarded or sent messages may disclose sensitive content to third parties, and forwarding can create persistent future data egress beyond the immediate request.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The API explicitly supports enabling forwarding to an arbitrary external email address and states there is no forwarding verification flow. That means anyone holding a mailbox bearer token can redirect inbound message contents to an unverified destination, increasing the risk of silent data exfiltration, misdelivery, and persistence of disclosure if the address is mistyped or attacker-controlled.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The examples normalize actions with clear external side effects—mailbox registration, token recovery, forwarding changes, and email sending—without any guidance to confirm user intent, warn about privacy consequences, or avoid unintended outbound actions. In an agent skill, this increases the risk that an automated system performs sensitive communications or rerouting of mail based on ambiguous prompts, leading to data leakage, unauthorized message transmission, or account changes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Private key material is serialized into a temporary file, which creates a window where highly sensitive credentials exist on disk and may be recoverable by local attackers, backups, or forensic tooling. Even though the file is deleted afterward, deletion does not guarantee the key was never exposed.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script recovers a bearer token and immediately persists it to disk via `save_token(...)` without any explicit user confirmation or warning that a sensitive credential is being stored locally. In the context of an email gateway, this token likely grants mailbox access and sending capability, so silent persistence increases the risk of credential exposure through shared systems, backups, weak file permissions, or accidental reuse.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script persists a bearer token to disk via `save_token(...)` without any visible user warning, consent prompt, or indication of storage protections in this file. Because this skill manages mailbox access, the token likely grants direct API access to email data and sending capabilities, so unintended local disclosure or insecure file permissions could lead to account compromise.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - Treat outbound message `id` as the public id used by `GET /outbox/{id}`. - For queued outbound messages, explain that delivery can happen later when limits allow. - Use `configure_forwarding.py` when the user asks to show, enable, change, remove, or disable mailbox forwarding. - Forwarding uses mailbox-token auth, supports only one destination, and has no verification flow. - Forwarding to the same mailbox address or any `crustacean.email` address/subdomain is not allowed. - Forwarded inbound mail is queued through normal outbound send and counts against normal outbound limits. - Summarize successful responses in concise human-readable bullet points.
Confidence: 84% confidence
Finding: no verification

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal