ClawHub

Apple Mail

Security checks across malware telemetry and agentic risk

Overview

The plugin is a real Apple Mail integration, but it can automatically read email, send replies, and attach local files without clear per-message user approval.

Install only if you are comfortable giving this plugin active control over a configured Apple Mail account. Use a dedicated mailbox, keep allowFrom and allowOutboundTo narrow, avoid wildcard senders, disable archiving unless needed, review logs for email-content exposure, and do not use it for sensitive mail until it has explicit send confirmation and safer attachment handling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (24)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This code executes dynamically constructed AppleScript through a shell command (`exec`), giving the skill direct control over Mail.app and the local host context. Even though single quotes are escaped, invoking a shell for script execution expands the attack surface and enables powerful local actions if upstream inputs or future changes weaken escaping or broaden script capabilities.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill can send outbound email with arbitrary body content and optional local file attachments, which creates a clear exfiltration and impersonation channel from the user's mailbox. In an agent setting, this is dangerous because a compromised or prompt-injected workflow could silently transmit sensitive local files or communications to attacker-controlled recipients.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Reply functionality can automatically send messages in existing threads and attach arbitrary local files, enabling silent data exfiltration or fraudulent replies that appear to come from the user. Because thread matching can fall back to subject-based logic, the agent may also respond to the wrong message or thread, increasing the chance of unauthorized disclosure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The unread-message retrieval collects full email bodies and full MIME/HTML source, which may include sensitive message contents, metadata, tracking links, tokens, and embedded identifiers. In an agent environment, broad access to complete mail content materially increases privacy risk and makes prompt-injection or downstream leakage more damaging.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The channel scans a global agent sessions directory, parses prior subagent result text, extracts local filesystem paths, and then auto-attaches matching files to outbound email. This creates an unintended data exfiltration path from internal agent artifacts to external recipients, especially because attachment selection is driven by loosely matched thread/session content and natural-language cues like 'attached' or 'PDF' rather than an explicit, user-approved attachment API.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code comments claim it only scans 'THIS thread's session file,' but the implementation enumerates a shared sessions directory and picks the first filename ending with `-topic-${threadId}.jsonl`. In a multi-session environment, this can select the wrong file if thread IDs collide or naming is ambiguous, causing cross-session data leakage and attachmenting of files derived from unrelated conversations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The monitor logs a preview of inbound email body text before dispatching it, which can expose sensitive message content to application logs, operators, log processors, or other tenants depending on deployment. Email often contains credentials, personal data, financial details, and internal business information, so even a 300-character preview materially increases data exposure risk without being necessary for core mail polling functionality.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README states that the plugin integrates with Mail.app and provides isolated sessions per email thread, but it does not prominently and explicitly warn users that the plugin can automatically ingest inbound email content and generate/send replies through the user's Mail.app account. For an email-channel agent plugin, this missing disclosure can lead to unsafe deployment, privacy surprises, and accidental autonomous outbound communication if operators enable it without fully understanding its capabilities.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The plugin executes AppleScript via osascript to read, reply to, send, archive, and inspect Mail without any explicit user confirmation at execution time. In a skill that processes inbound content and can autonomously act on it, this grants powerful local side effects over the user's mail client and increases the risk of unauthorized messaging or mailbox manipulation.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill is designed to auto-send email replies from model output, and the prompt explicitly instructs the model to always respond and never stay silent. In context, inbound emails and prior thread history are fed to the model, so prompt-injection or sensitive-content manipulation can directly cause unintended outbound emails to external parties.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code fetches media URLs and writes their contents to temporary files automatically, then may attach them to outgoing mail. This creates an implicit network/file-write side effect and can be abused to retrieve attacker-controlled content, persist it locally, and exfiltrate it through email attachments without clear user awareness.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code reads and returns full unread email bodies and MIME/HTML content without any in-file evidence of user disclosure or consent gating. That creates a privacy and transparency problem, especially because users may not expect an agent skill to ingest complete mailbox contents rather than minimal metadata.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Historical thread retrieval reads prior email content and full MIME/HTML source without visible disclosure or confirmation in this file. Access to historical messages expands the privacy impact beyond unread mail and can expose older sensitive conversations to agent processing without clear user awareness.

Missing User Warnings

High
Confidence
96% confidence
Finding
Reply operations can send outbound messages and attachments with no visible confirmation step in this code, allowing automated actions on behalf of the user. In a hostile prompt or compromised workflow, that can be abused to message attackers, leak sensitive files, or socially engineer contacts using the user's identity.

Missing User Warnings

High
Confidence
96% confidence
Finding
Direct reply can transmit email and optional attachments without any user-facing confirmation in this component. That makes accidental or malicious autonomous sending possible, particularly since the skill can operate on mailbox data and local file paths in the same flow.

Missing User Warnings

High
Confidence
97% confidence
Finding
New email sending accepts recipient, content, and local attachment paths and sends them immediately, with no visible confirmation or disclosure in this file. This is dangerous because it gives any caller a ready-made exfiltration path and the ability to impersonate the user in outbound communications.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Archiving moves messages out of the inbox without any visible warning or disclosure, altering the user's mailbox state automatically. While less severe than sending mail, it can hide important messages, interfere with workflows, and reduce visibility into malicious or mistaken processing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code logs a preview of table-derived markdown extracted from email content, which can include sensitive user data such as personal information, financial details, or confidential business content. Even truncated previews are still plaintext disclosure to logs, which are often broadly accessible, retained for long periods, and exported to third-party monitoring systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This log statement emits a preview of the combined extracted email text, directly exposing processed email body content in application logs. Because email bodies routinely contain secrets, account data, or regulated personal information, this creates an unnecessary secondary data exposure channel outside the primary application flow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code records user email content in logs without any indication of user disclosure, consent, or necessity, creating a privacy and compliance risk in addition to technical data leakage. Because logs are commonly retained longer than primary message processing data and replicated across systems, the preview can widen the blast radius of any sensitive email content.

Ssd 3

Medium
Confidence
96% confidence
Finding
The agent prompt instructs the model to always produce a response that will be automatically sent as an email reply, using full thread context. That combination materially raises the chance that sensitive details from the conversation or prior messages are echoed back to recipients, especially under prompt injection or social engineering conditions.

Ssd 3

Medium
Confidence
94% confidence
Finding
The plugin injects prior email history, including parsed HTML-derived content, into the model context for response generation. This enlarges the sensitive context available to the model and makes it easier for malicious or accidental prompts to induce disclosure of earlier private messages in later outbound replies.

Ssd 3

Medium
Confidence
94% confidence
Finding
The function prepends the full prior email thread into the AI-visible message by default, which can expose historical user content, sensitive data, or unrelated context to downstream model processing beyond what is necessary to handle the current email. In an email integration, thread history often contains personal, financial, or confidential business information, so automatic inclusion increases unnecessary data disclosure and the blast radius of any prompt injection or model misuse in earlier messages.

Ssd 3

Medium
Confidence
88% confidence
Finding
The code enriches inbound messages with full thread history before sending them onward for AI handling, which can unnecessarily expose prior messages, attachments-derived text, or sensitive context unrelated to the current reply. This increases the chance of over-sharing confidential historical content to the model and can also cause that content to influence generated responses in ways the user did not intend.

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal