ClawHub
Back to skill

Security audit

Imap Mail

Security checks across malware telemetry and agentic risk

Overview

This email skill is mostly coherent, but it deserves review because it combines broad mailbox control with under-scoped full-message webhook forwarding and an attachment-saving file overwrite risk.

Review before installing. Use an app-specific mail password, lock down the env file, keep the API bound to 127.0.0.1, avoid setting MAIL_IDLE_WEBHOOK unless the endpoint is trusted and preferably local, and be cautious with --save-attachments until filenames are sanitized. Confirm you are comfortable with persistent contact notes, rules, scheduled sends, and automated mailbox changes before enabling the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Tainted flow: 'req' from os.getenv (line 333, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
IDLE_WEBHOOK, data=data,
            headers={"Content-Type": "application/json"},
        )
        urllib.request.urlopen(req, timeout=10)
    except Exception as e:
        _idle_status["error"] = f"webhook: {e}"
Confidence
98% confidence
Finding
urllib.request.urlopen(req, timeout=10)

Tainted flow: 'req' from os.getenv (line 333, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
IDLE_WEBHOOK, data=data,
            headers={"Content-Type": "application/json"},
        )
        urllib.request.urlopen(req, timeout=10)
    except Exception as e:
        _idle_status["error"] = f"webhook: {e}"
Confidence
95% confidence
Finding
urllib.request.urlopen(req, timeout=10)

Tainted flow: 'req' from os.getenv (line 29, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        resp = urllib.request.urlopen(req, timeout=15)
        return json.loads(resp.read().decode())
    except urllib.error.HTTPError as e:
        print(f"HTTP {e.code}: {e.read().decode()}", file=sys.stderr)
Confidence
91% confidence
Finding
resp = urllib.request.urlopen(req, timeout=15)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The contact-memory/CRM feature persists notes, tags, and interaction history about third parties, which is broader than routine mail handling and introduces unnecessary personal-data retention. That increases privacy and compliance risk, especially if the stored notes contain sensitive summaries inferred from email contents.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The security notes say certificate verification is enabled by default and self-signed certificates require an explicit opt-in, but the compatibility note says self-signed certificates are accepted automatically. Conflicting TLS guidance can cause operators to deploy with unsafe assumptions and potentially accept unverified certificates, enabling man-in-the-middle interception of email credentials and contents.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The rules subsystem is internally inconsistent: creation claims only 'flag' is supported, but application also honors 'mark-seen', and analyze/apply persists 'move-to:' actions that the rule executor never implements. This mismatch can cause users or higher-level agents to rely on behavior that differs from policy, leading to silent mailbox state changes or failure to apply intended routing controls.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This script adds contact-memory/CRM capabilities that go beyond ordinary IMAP/SMTP mail transport and mailbox management described in the skill metadata. Storing notes, tags, history, and profile context about people creates a separate surveillance and persistence function that increases privacy risk and broadens the data-handling scope without clear user justification.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code implements persistent storage and mutation of contact profiles, including names, tags, and free-form notes, which can contain sensitive personal or business information unrelated to core email delivery. In the context of an email skill, this is more dangerous because the system can silently accumulate dossiers on correspondents and retain them across interactions, creating privacy, compliance, and misuse risks.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill documents destructive actions such as deleting messages and bulk state changes without prominent warning, confirmation, or mention of reversibility. In an agent context, that increases the chance of accidental mailbox modification or permanent loss triggered by ambiguous instructions or automation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation encourages automatic collection of contact history and note persistence but does not clearly warn that this creates a local dossier about correspondents derived from their messages. That omission is risky because users may unknowingly store sensitive personal or business information beyond the original email system.

Natural-Language Policy Violations

Low
Confidence
90% confidence
Finding
The statement that self-signed certificates are accepted automatically conflicts with earlier safer guidance and normalizes insecure TLS behavior. Even if only documentation is wrong, it can lead users to configure the service insecurely or trust endpoints without proper verification.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly instructs operators to place the IMAP/SMTP password in a plaintext environment file. Even with chmod 600, this remains sensitive secret material on disk and may be exposed through backups, misconfiguration, accidental disclosure, or privileged local access; the document also omits warnings about safer secret-handling options.

Missing User Warnings

High
Confidence
98% confidence
Finding
The webhook sends full email-derived message objects off-box without any in-band warning, minimization, or consent check. In the context of a personal-email skill, this is especially dangerous because mailbox contents often include highly sensitive personal and business data, so the feature materially increases privacy and data-loss risk.

Missing User Warnings

Low
Confidence
97% confidence
Finding
Attachment filenames returned by the API are joined directly into the user-specified save directory without sanitization. A malicious email attachment name such as ../../.ssh/authorized_keys or an absolute path could cause files to be written outside the intended directory, leading to arbitrary file overwrite if the user invokes --save-attachments on attacker-controlled mail.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code posts full email objects to an external webhook without any in-code disclosure, minimization, or guardrails. In an email skill, silently transmitting message bodies, headers, participants, and metadata to another service is a significant confidentiality risk, especially if users assume mail stays local to IMAP/SMTP.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The health endpoint discloses the mailbox identity and IMAP host, which are sensitive operational details that can aid targeting, account enumeration, and reconnaissance. Even though the service binds to localhost by default, local exposure still matters in agent environments where other local processes or port-forwarded tools may access it.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The idle status endpoint reveals the configured webhook destination and VIP sender list, both of which are sensitive metadata. This can expose internal integration endpoints and socially valuable contact information, increasing reconnaissance and privacy risk in the context of a mailbox-management service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Attachment filenames come from remote message data and are joined directly with the user-supplied save directory before writing. A crafted filename such as '../../../.ssh/authorized_keys' or an absolute path could escape the intended directory or overwrite local files, which is especially risky because this mail skill processes untrusted email content and attachments from external senders.

Ssd 3

Medium
Confidence
88% confidence
Finding
The flagged-sender workflow instructs the system to pull full contact history, generate detailed reports, and automatically save new summary notes, effectively profiling correspondents over time. This creates a persistent surveillance-style record that exceeds what is necessary for basic email handling and may expose sensitive relationship history if the local store is accessed.

Ssd 3

High
Confidence
96% confidence
Finding
The IMAP IDLE webhook sends full message fields, including body content, to another endpoint whenever new mail arrives. This materially expands the data exposure surface and can leak sensitive email contents to a secondary service, especially if the webhook is misconfigured, logged, or not strongly authenticated.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.