ClawHub

Daily Medium

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it claims, but it requires broad Gmail mailbox credentials and promotes third-party paywall-mirror use, so users should review it carefully before installing.

Install only if you are comfortable granting this skill Gmail IMAP access through a revocable app password. Use a dedicated or low-risk mailbox if possible, revoke the app password when done, and understand that Freedium links or summaries can expose article URLs and reading activity to a third-party mirror and may have terms-of-service implications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill requires access to environment variables and network services but does not explicitly declare those capabilities. That weakens user and platform visibility into what the skill can access, especially since it handles Gmail credentials and external HTTP requests. In this context, undeclared capabilities are risky because the skill reads inbox data and contacts third-party services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior understates the sensitivity of what the skill does: it accesses a Gmail inbox via IMAP using credentials, reads email content, and parses message bodies. That is materially more sensitive than simply 'fetching Medium digests,' and the claimed summarization behavior is only illustrative rather than part of the core function. This mismatch can mislead users into granting inbox access without understanding the true scope of data access and external transmission.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages use of a third-party Freedium mirror to bypass Medium's paywall but does not clearly warn that article URLs and fetched content will be transmitted to that external service. Users may not realize that reading preferences, tracking parameters, or content requests are exposed to a non-Medium third party. In a skill processing email-derived links, this omission increases privacy risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to supply Gmail app-password credentials but does not provide a strong warning about the sensitivity of those secrets or how they are stored, passed, and protected. Even app passwords grant mailbox access and can expose private communications if mishandled. Because this skill reads email over IMAP, poor credential handling materially raises account-compromise and privacy risks.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill silently sources email credentials from environment variables without an explicit user-facing disclosure at the point of use. In an agent-skill setting, undisclosed access to mailbox credentials can surprise users and normalize unsafe secret handling, increasing the risk of inappropriate credential exposure or misuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code connects to Gmail, selects the inbox, and searches mailbox contents without any in-code indication of consent, disclosure, or scope limitation beyond sender filtering. In a skill ecosystem, remote mailbox access is sensitive because it can expose personal data and user communications if the behavior is broader than the user expects.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal