ClawHub
Back to skill

Security audit

Iris — Rainbow Messenger

Security checks across malware telemetry and agentic risk

Overview

This Gmail triage skill appears useful and not malicious, but it needs review because it uses a sensitive Gmail app password and saves email-derived details to a local report by default.

Install only if you are comfortable giving the skill a revocable Gmail app password and having a local markdown report created from your inbox details. Run it in a private directory, delete reports you do not want retained, and avoid using it on highly sensitive mail unless report writing is disabled or edited out.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill documentation describes the Gmail access as read-only, which is misleading because the code persists inbox-derived content to a local markdown file. While it does not modify Gmail state, writing email metadata, subjects, and drafted replies to disk creates a new confidentiality risk if the local machine, workspace, or logs are accessible to others.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The security documentation claims the skill is read-only, but the implementation performs filesystem writes to save an inbox report. This discrepancy can cause users to run the skill under an incorrect trust assumption, leading to unintended local data exposure of sensitive email content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill saves email-derived metadata and draft reply content to disk without a clear, prominent warning at the point of setup/use. Because inbox contents often include sensitive business or personal information, silent local persistence increases the chance of accidental disclosure through shared directories, backups, or subsequent tooling that reads the markdown file.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal