ClawHub

Post

Security checks across malware telemetry and agentic risk

Overview

This email skill is coherent and not deceptive, but it should be reviewed carefully because it enables private mailbox access, mailbox changes, persistent monitoring, and mail-triggered local commands without enough safety boundaries.

Install only if you trust the upstream Post Homebrew package and intentionally want agents to access your email. Prefer narrow per-agent tokens, avoid command-line passwords and shared .env files, confirm before moving/trashing/bulk-changing messages, save exports and attachments only in private directories, and enable postd hooks or LaunchAgent auto-start only when you trust the local scripts they run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The setup guide explicitly shows passing an IMAP/app password on the command line. Command-line secrets can be exposed via shell history, process listings, terminal logging, or audit tooling, which is especially risky for email credentials that grant mailbox access. In this skill context, the danger is increased because the document is intended for agent/operator setup, so users may copy-paste the insecure example directly.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The skill advertises itself for a very broad set of email operations, including reading, searching, fetching, drafting, replying, moving, exporting, and downloading attachments, without clear guardrails about when these actions require explicit user confirmation. In an agent setting, this can cause over-invocation and expand access to highly sensitive mailbox contents and outbound communications beyond what a user may have intended.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation instructs use of API keys and environment variables for email access but does not include an explicit warning that these credentials grant access to private mailbox data and must not be exposed in logs, prompts, shell history, or shared environments. In agent workflows, omission of such guidance increases the risk of accidental credential leakage and unauthorized mailbox access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples include destructive commands such as move, archive, trash, and junk without any warning that they mutate mailbox state and can affect multiple messages via UID sets and ranges. In an agent-facing skill, copy/paste recipes are likely to be executed directly, so omission of cautions and confirmation guidance increases the chance of unintended data loss or misclassification of mail.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The documentation writes attachments, PDFs, EML files, and message bodies to /tmp without warning that email contents may contain sensitive data and that temporary directories may be broadly accessible, persistent longer than expected, or monitored by other local processes. In the context of an email-management skill, this can lead to accidental exposure of message content or attachments on shared systems and leaves potentially sensitive artifacts on disk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The hook design intentionally passes full email metadata and body content to arbitrary configured external commands, which creates a real privacy and data-exposure risk if users plug in insecure scripts or third-party tools. In the context of an email-management skill, this is especially sensitive because messages may contain credentials, personal data, confidential business content, and attachment metadata, yet the documentation does not prominently warn users about the trust boundary they are creating.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The example encourages downloading attachments to /tmp without warning that attachments may contain sensitive data or malware, and that temporary directories may be broadly accessible, indexed, or left behind. While this is documentation rather than code execution by itself, it normalizes potentially unsafe local data handling for email attachments, which are a common attack vector.

Session Persistence

Medium
Category
Rogue Agent
Content
<key>StandardErrorPath</key>
       <string>/tmp/postd.log</string>
   </dict>
   </plist>
   EOF
   ```
Confidence
81% confidence
Finding
plist

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal