ClawHub

Emailable

Security checks across malware telemetry and agentic risk

Overview

This appears to be a normal Emailable connector, but it can create batch verification jobs and includes a remote CLI installer step users should review.

Install only if you intend to connect Emailable through OOMOL and are comfortable sending the relevant email addresses or batches to that service. Review the oo CLI installer before running it, and require explicit confirmation before creating batch verification jobs or submitting bulk email data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest says the skill should be used for 'searching and reading data,' but the documented actions include `verify_batch_emails`, which creates a batch verification job and changes external service state. This mismatch can mislead an agent into invoking a write-capable skill in situations where only read-only access was expected, weakening user-consent and tool-selection safety boundaries.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction to use this skill for 'ANY Emailable request' is overly broad and may cause the agent to route all Emailable-related tasks through this skill, even when that is unnecessary or unsafe. In context, this increases the chance of accidental execution of connector actions, including state-changing ones, based on weak keyword matching rather than precise intent.

External Script Fetching

High
Category
Supply Chain
Content
- **`oo: command not found`** — install the oo CLI (other platforms: <https://cli.oomol.com/install-guide.md>):

  ```bash
  curl -fsSL https://cli.oomol.com/install.sh | bash    # macOS / Linux
  ```

  ```powershell
Confidence
97% confidence
Finding
curl -fsSL https://cli.oomol.com/install.sh | bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal