Back to skill

Security audit

email-pro-optimized

Security checks across malware telemetry and agentic risk

Overview

This email skill mostly does what it says, but it needs review because it handles mailbox credentials, includes hard-coded Outlook OAuth app credentials, and bundles unrelated developer scripts that can push or sync local files if run.

Review before installing. Use your own Gmail/Outlook OAuth application rather than the bundled Outlook quick-auth credentials, verify requested mail permissions, protect ~/.openclaw/credentials, and avoid running auto-push.py or sync-updates.py unless you intentionally want repository or workspace changes. Confirm recipients and attachment paths before sending email.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run_command(cmd, cwd=None):
    """运行命令"""
    try:
        result = subprocess.run(
            cmd,
            shell=True,
            cwd=cwd or SKILL_DIR,
Confidence
96% confidence
Finding
result = subprocess.run( cmd, shell=True, cwd=cwd or SKILL_DIR, capture_output=True, text=True, timeout=30 )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and documents capabilities that read/write local credential files, access the network, and invoke shell commands, yet the manifest does not declare corresponding permissions. This creates a trust and review gap: users and platforms cannot accurately assess the privilege level before use, increasing the risk of unexpected access to mailbox contents, OAuth tokens, and local files.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
A description-behavior mismatch is security-relevant because users may authorize an email tool while the broader skill package also performs unrelated actions such as git operations, workspace synchronization, maintenance of OAuth files, and mail-analysis/report generation. Those extra behaviors expand the attack surface and can enable unanticipated data exfiltration or modification of local repositories and sensitive files under the guise of normal email functionality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The README discloses concrete Outlook OAuth credentials, including a client secret, tenant ID, and client ID, in clear text. Even if these are intended as setup examples, publishing live-looking secrets in documentation materially increases the risk of unauthorized application use, token abuse, phishing pretexting, and compromise of associated Microsoft resources.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The configuration example shows a stored Outlook client_secret inside a local credentials file, normalizing plaintext secret storage and exposing a specific secret value. This is dangerous because it both leaks a likely real credential and encourages insecure handling of long-lived OAuth secrets alongside token material.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This file adds automatic source-control commit/push behavior to a skill advertised as an email tool, which is unrelated capability expansion. That mismatch increases risk because the script can publish local changes to a remote repository without being expected by users reviewing an email-focused skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The script executes shell commands and is designed to interact with Git and GitHub, capabilities that are not justified by the stated email-processing purpose. In a skill context, this creates an unexpected path for local command execution and remote data/code transmission, which materially expands the attack surface.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script stages all changes, commits them, and pushes them to origin, enabling remote publication of whatever exists in the working tree. In a skill package, that can exfiltrate sensitive files, publish malicious modifications, or alter repository state without any relation to the email functionality users expect.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The list_accounts command reads the shared credentials file and prints all configured account names, email addresses, providers, status, and notes. This expands the skill from operating on a selected mailbox to enumerating locally stored account metadata, which can leak sensitive environment information to any caller and aid follow-on targeting of accounts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The maintenance script accesses OAuth token material from a fixed path in the user's home directory and enumerates account details, even though maintenance tasks like versioning and script checks do not require reading live user credentials. This expands the skill's access to sensitive authentication data and creates unnecessary exposure if the script is run in a privileged user context or its output is logged.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The attachment helper reads any caller-supplied local path and includes the file contents in outbound email. In an agent setting, this creates a file-exfiltration primitive if untrusted input can influence attachment paths, especially because the skill description emphasizes mail operations rather than arbitrary filesystem access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script hard-codes WORKSPACE_DIR to a separate 'workspace-telegram-bot1' path and automatically copies changed skill files into that unrelated workspace. This exceeds the advertised scope of an email skill and creates a supply-chain style risk where modifying the skill can silently alter another project, potentially causing unintended code injection or cross-project contamination.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
This file implements deployment/update automation, changelog generation, version mutation, and prompts for publishing to ClawHub, which are operational behaviors not implied by the skill's stated email-processing functionality. Bundling maintenance automation inside a user-facing email skill broadens the attack surface and can surprise operators with repository or environment modifications unrelated to sending/reading email.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation instructs users to store email credentials and OAuth tokens in local files and to send/read potentially sensitive email content, but it does not warn about privacy implications, token persistence, or local secret protection. In an email-management context this is more dangerous because mailbox data and refresh tokens are high-value secrets that can enable long-lived account access if mishandled.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script connects to a remote IMAP server and fetches up to 1000 full messages (RFC822), which involves privacy-sensitive network access and retrieval of email content without any explicit consent prompt, dry-run mode, or disclosure at execution time. In an agent skill context, this is more sensitive because users may expect a mail utility but not automatic large-scale content analysis of their inbox.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script automatically reads mail credentials from a fixed local file and uses them to log into the mailbox without any interactive confirmation or scope restriction. In a skill ecosystem, silent credential use increases the risk of unintended mailbox access if the skill is triggered unexpectedly or reviewed insufficiently by the user.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script hardcodes an OAuth client secret and tenant/client identifiers directly in a distributable shell script. Anyone with access to the repository or package can extract and reuse the secret to impersonate the application, abuse the OAuth configuration, or conduct unauthorized mailbox authorization flows, especially because this skill is explicitly designed to access email accounts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script initiates Outlook authorization and then presents a success message, but it does not warn the user that the process grants mailbox access or describe the scope of permissions being requested. In an email-management skill, silent or poorly disclosed authorization is risky because users may grant broad access to sensitive mailboxes without understanding the security implications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accepts OAuth client secrets directly as command-line arguments, which can expose them through shell history, process listings, audit logs, or orchestration tooling that records invoked commands. In a credential-handling utility, this is a real secret exposure risk because OAuth client secrets are sensitive and may enable unauthorized use of the application's identity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow automatically stages all local changes and proceeds toward commit/push without a confirmation step. That is dangerous because it can unintentionally include secrets, unrelated files, or destructive repository state changes and then transmit them remotely.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The send_email path transmits outbound email immediately based on CLI arguments and only reports success after the send occurs. In an agent context, lack of an explicit confirmation or dry-run step increases the risk of unintended data exfiltration, accidental delivery to the wrong recipient, or abuse by higher-level prompt injection workflows.

Missing User Warnings

Low
Confidence
88% confidence
Finding
This command exposes configured email addresses and related account metadata from a local credentials file without any disclosure warning or minimization. While less severe than sending mail, it still reveals sensitive personal or operational information that a user may not expect to be surfaced by a mail utility.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads a sensitive OAuth token file without any explicit consent prompt, warning, or clear indication that credential contents will be opened and account metadata displayed. Silent access to credential stores is dangerous because users may execute maintenance tooling expecting harmless checks, while the tool is actually handling authentication secrets.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code persists access and refresh tokens to a local JSON file under the user's home directory without explicit consent or a clear warning to the user. In an email skill context, these tokens can grant mailbox access and account actions, so silent persistence increases the risk of credential exposure through backups, local compromise, or multi-user environments.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The provider sends email, including optional attachments, immediately once called, with no built-in confirmation, policy gate, or recipient/attachment review. In an agent environment this can enable unintended data leakage or social-engineering-driven outbound actions if upstream prompts or inputs are manipulated.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.