ClawHub

Nylas Email, Calendar & Contacts

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Nylas integration that clearly exists to access email, calendars, and contacts, including sending email and changing events.

Install only if you intend to let OpenClaw use your Nylas-connected email, calendars, and contacts. Prefer a narrowly scoped Nylas grant or set NYLAS_GRANT_ID for a specific account, and require confirmation before sending emails or creating, updating, or deleting calendar events.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This skill advertises broad access to email, calendar, and contacts, including reading full messages and searching contacts, but does not warn users that it can access highly sensitive personal and business data. In a skill marketplace or agent environment, that omission can lead users to authorize the plugin without understanding the privacy implications, increasing the risk of unintended data exposure or overbroad use.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The listed tools include actions that can modify external state, such as sending emails, creating events, updating events, and deleting calendar events, but the skill description provides no warning that these operations may have irreversible or user-visible consequences. Without explicit notice, users may invoke the skill expecting read-only behavior and unintentionally trigger harmful actions like emailing recipients or deleting meetings.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal