ClawHub

Email Customer Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a plausible email assistant, but it needs review because it handles mailbox contents and credentials while several external data flows and controls are under-scoped or inconsistent.

Review carefully before installing, especially on production or regulated mailboxes. Use a dedicated mailbox or app password, restrict folders and Feishu recipients, assume email subjects/snippets/bodies may be sent to configured AI providers and Feishu, and fix or avoid --dry-run if you need a true preview-only mode. Pin dependencies and clarify/remove the token-validation behavior before broader deployment.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation makes conflicting safety claims: it says the skill is 'read-only' and does not send email, while earlier sections state it can generate replies and send them after user confirmation. This kind of mismatch can mislead users into granting mailbox access under false assumptions, weakening informed consent and increasing the chance of unintended outbound actions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The CLI exposes a '--dry-run' flag that promises check-only behavior, but the code never uses this flag to suppress side effects. As written, processing still reaches Feishu push logic via process_emails(), so operators may unintentionally transmit email-derived data externally when they explicitly requested a non-pushing run.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The listing states that the skill fetches email content, classifies it with AI, and pushes alerts/summaries to Feishu, but it does not disclose any privacy boundaries, data minimization, retention, or third-party transmission warnings. Because emails often contain sensitive personal, financial, or business data, sending their contents or derived summaries to external AI APIs and messaging platforms can create unintended data exposure and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly describes pulling email via IMAP, sending content to external AI providers for classification/reply generation, and pushing summaries to Feishu, but it does not clearly disclose privacy boundaries, data handling, retention, consent, or minimization. For a skill processing potentially sensitive customer communications, this creates a real data exposure and compliance risk even if the functionality is intentional.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill asks users to provide highly sensitive credentials, including IMAP account details, app passwords, AI API endpoints, and Feishu webhook/user identifiers, but does not document how those secrets and email contents are stored, processed, retained, or protected. Because the skill processes private mailbox data and forwards summaries to external services, the absence of privacy, retention, and secret-handling guidance materially increases the risk of credential leakage and unintended disclosure of sensitive email content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly states that an AI model analyzes email content and generates reply suggestions, but it does not warn users that full email bodies and potentially sensitive personal or business data may be transmitted to external AI providers. In a mailbox-processing skill, that omission is security-relevant because users may unknowingly expose confidential communications, attachments, or regulated data to third-party services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document advertises automatic IMAP access to arbitrary mailboxes and continuous retrieval of new mail, but does not prominently warn that users must provide mailbox credentials and grant ongoing access to mailbox data. This is dangerous because it normalizes broad, persistent access to sensitive communications without clearly disclosing the trust and exposure implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Unread email data is sent to external AI classification/reply-generation components and optionally to Feishu, yet this file provides no user-facing notice, consent flow, or clear disclosure at execution time. In a mail-handling skill, that can expose sensitive business or personal content to third parties without the operator fully realizing the data flow.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
When AI mode is enabled, the code sends email subject and body/snippet content to an external OpenAI-compatible API endpoint with no built-in consent check, minimization control, or disclosure mechanism. Because emails commonly contain personal, financial, or confidential business data, this can cause unintended data exfiltration to third-party services or untrusted endpoints configured by the operator.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The module sends email-derived data such as sender, subject, date, summary, and optionally reply suggestions to Feishu via outbound HTTP requests, but the code provides no consent flow, disclosure, redaction, or policy gate before transmitting potentially sensitive business or personal information. In an email-handling skill, this is a real privacy and data-governance risk because users may not realize message contents are being forwarded to an external service.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The personal-message push path transmits email-related content to Feishu's open platform API using an app token and open_id, again without any built-in notice, consent, or sensitivity filtering. This creates the same external data exposure risk as webhook delivery, and may be more privacy-sensitive because content is routed to an individual recipient account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Customer email contents, including sender, subject, body, and optional custom instructions, are transmitted to an external AI provider for processing without any built-in consent, disclosure, redaction, or policy gate. In a mail-handling context, this can expose sensitive or regulated data to third parties and create privacy, compliance, and data-governance risk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
imapclient>=2.3.0
email>=4.0.0
openai>=1.0.0
pyyaml>=6.0
Confidence
94% confidence
Finding
imapclient>=2.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
imapclient>=2.3.0
email>=4.0.0
openai>=1.0.0
pyyaml>=6.0
requests>=2.28.0
Confidence
95% confidence
Finding
email>=4.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
imapclient>=2.3.0
email>=4.0.0
openai>=1.0.0
pyyaml>=6.0
requests>=2.28.0
Confidence
94% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
imapclient>=2.3.0
email>=4.0.0
openai>=1.0.0
pyyaml>=6.0
requests>=2.28.0
Confidence
98% confidence
Finding
pyyaml>=6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
email>=4.0.0
openai>=1.0.0
pyyaml>=6.0
requests>=2.28.0
Confidence
98% confidence
Finding
requests>=2.28.0

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
pyyaml

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
96% confidence
Finding
requests

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal