Clawhub Github Publish VcNh8z
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a mail integration, but it under-declares sensitive credentials and can bridge incoming email into an OpenClaw gateway session with broad operator/admin authority.
Review carefully before installing. Only use this if you intend to connect the specified JMAP mailbox to OpenClaw, and verify the server URL, credentials, gateway token, and requested gateway scopes. Prefer a version that requires explicit approval before email-triggered agent actions, limits gateway permissions, and clearly documents what email content is sent to the agent.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A person who can send email to the connected mailbox may be able to influence the agent’s goals or instructions.
The plugin fetches full email body content and routes new messages into a function explicitly named as delivery to the agent. Incoming email is untrusted external content, and the visible artifacts do not show a user approval or sanitization boundary before agent processing.
properties: ['id', 'subject', 'from', 'to', 'textBody', 'htmlBody', ... 'bodyValues'],
fetchTextBodyValues: true
...
await deliverToAgent(email)Treat incoming email as untrusted content, require explicit user approval before creating agent turns, and add prompt-injection-resistant framing that prevents email text from becoming authoritative instructions.
If the plugin or an email-triggered agent turn is misused, it may act with broad OpenClaw authority rather than only reading or managing email.
The plugin connects to the OpenClaw gateway as an operator and requests broad admin/write/approval/pairing scopes, which exceed a narrowly scoped email integration and are not clearly bounded in the artifacts.
role: 'operator',
scopes: ['operator.admin', 'operator.read', 'operator.write', 'operator.approvals', 'operator.pairing'],
caps: ['tool-events']Reduce gateway scopes to the minimum needed, avoid approval/pairing/admin scopes by default, and document exactly which OpenClaw actions the plugin may perform.
Email content and agent commands may flow through a privileged local gateway channel in ways the user may not expect.
The plugin creates a WebSocket channel to the OpenClaw gateway as an operator. Combined with the mail-fetching path, sensitive email content and agent-control messages cross a gateway boundary whose identity, authorization, and data handling are not clearly constrained in the provided artifacts.
const socket = new WebSocket(url)
...
socket.send(JSON.stringify({
type: 'req', id: connectId, method: 'connect',
params: { ... role: 'operator' ... }Document the gateway protocol and data flow, require authenticated local gateway access, constrain what email data is sent, and make the user approve any external-email-triggered agent action.
The plugin may keep monitoring the mailbox and reacting to new messages after installation.
The plugin is designed to keep a long-lived email delivery listener and reconnect over time. Real-time email listening is purpose-aligned, but users should understand it can continue reacting to incoming mail in the background.
export const EVENTSOURCE_URL = `${JMAP_URL}/jmap/eventsource/?types=EmailDelivery&closeafter=no&ping=60`
...
export const RECONNECT_MAX_MS = 60000Provide a clear enable/disable control, disclose the background listener, and allow users to limit which mailboxes or senders can trigger processing.
Dependency installation may be harder to verify against the published package identity.
The lockfile identity/version differs from the package metadata for @kryptt/openclaw-jmap-plugin version 0.2.7, which weakens reproducibility and provenance clarity.
"name": "@hr-home/openclaw-jmap-plugin", "version": "0.1.0"
Regenerate and publish a matching lockfile for the released package/version and avoid fallback install behavior that bypasses the lockfile.