ClawHub

email-cron-handler

Security checks across malware telemetry and agentic risk

Overview

This skill openly builds an email-controlled automation loop, but it gives email messages too much power to trigger agent actions and send results back without strong controls.

Install only if you intentionally want an inbox to drive agent actions. Use a dedicated low-privilege mailbox, require a non-empty sender allowlist plus stronger authentication where possible, avoid putting real credentials in prompts or cron payloads, restrict allowed commands, redact email replies, and define an easy way to disable the cron jobs before enabling them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documents file read/write and network-capable behavior but does not declare corresponding permissions, which weakens transparency and prevents effective policy enforcement by the platform or user. In this skill's context, that matters more because it polls email, persists state, and sends replies automatically, creating a remote command channel with filesystem and network side effects.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The template explicitly instructs the agent to treat email body content from a whitelisted sender as executable instructions and to perform broad actions such as searching, querying, and 'executing operations.' This creates a remote command-and-control channel over email, allowing anyone who can spoof, compromise, or gain access to the whitelisted mailbox to drive arbitrary agent behavior.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The template directs the agent to read and update persistent local state in ~/.openclaw/workspace/memory/processed_emails.json. While tracking processed UIDs is operationally useful, coupling email-driven automation with persistent workspace access expands the blast radius and can expose or corrupt local state if the workflow is subverted.

Missing User Warnings

High
Confidence
99% confidence
Finding
The description does not clearly warn users that the skill will automatically execute commands received by email and send the results back, which is effectively remote task execution over a messaging channel. That omission is especially dangerous here because email is a spoofable, high-latency control plane and the skill is designed for unattended cron execution, increasing the chance of unauthorized or risky actions being run without informed consent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions normalize acting on email content and sending execution results back out without any warning, validation, or safety constraints. In this skill's context, email is an untrusted input channel, so automatic execution and response turns the agent into an externally triggerable automation endpoint with data exfiltration capability.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The cron examples embed placeholders for mailbox credentials directly into automation payloads and prescribe continuous unattended mailbox access. This encourages insecure secret handling and increases the chance of credential exposure via logs, task definitions, screenshots, or shared config, while also enabling persistent autonomous processing of untrusted emails.

Ssd 4

High
Confidence
98% confidence
Finding
The skill establishes a narrative that emails from the whitelisted sender are trusted instructions and requires the agent to execute them automatically, which is a classic trust-boundary failure. In this context, the skill purpose is specifically to let email drive agent actions, making the escalation especially dangerous because it operationalizes untrusted natural-language input as authority.

Ssd 3

High
Confidence
96% confidence
Finding
Replying with execution results or detailed failure messages to the command sender creates a natural-language exfiltration channel. If the agent is induced to access sensitive data, local files, or internal system details, this design sends those outputs back over email to the requester automatically.

Session Persistence

Medium
Category
Rogue Agent
Content
### Step 2: 初始化存储目录

```bash
mkdir -p ~/.openclaw/workspace/memory
echo '[]' > ~/.openclaw/workspace/memory/processed_emails.json
```
Confidence
86% confidence
Finding
mkdir -p ~/.openclaw/workspace/memory echo '[]' > ~/.openclaw/workspace/memory/processed_emails.json ``` ### Step 3: 创建定时任务 **方式一:使用脚本(推荐)** Cron 任务只需执行简单逻辑: 1. 调用 `python process_email.py fetch` 获

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal