ClawHub

Email Verifier

Security checks across malware telemetry and agentic risk

Overview

This email verification skill appears coherent and purpose-aligned, but users should understand that live SMTP checks disclose queried addresses and source IP metadata to mail servers.

Install only if you are comfortable with live SMTP verification. Use it for addresses you own or are authorized to process, avoid scraped or unsolicited lead lists, keep batch sizes and rate limits conservative, and prefer syntax/domain-only checks when privacy or mail-server reputation matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is broad enough to encourage use on generic 'email lists,' 'lead lists,' and contact data without strong boundaries or consent requirements. In context, this skill performs active SMTP probing against third-party infrastructure, so vague triggering increases the chance of privacy-invasive validation, reconnaissance-like behavior, or use on harvested addresses at scale.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explains the SMTP workflow but does not clearly warn users that it makes direct network probes to third-party mail servers, exposes the user's IP, and reveals queried addresses/domains to those servers. That omission is significant here because SMTP verification is externally visible, can trigger blocking or blacklisting, and may disclose sensitive contact lists during validation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script transmits each target email address, and a synthetic probe address for catch-all detection, to third-party mail servers via SMTP RCPT TO. This creates a real privacy and data-disclosure risk because queried addresses, verification activity, source IP, and timing metadata are exposed to external infrastructure without any explicit warning, consent flow, or minimization controls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal