ClawHub

Email Monitor

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real email-monitoring skill, but it needs Review because it stores mailbox credentials in a local plaintext config and can keep accessing mail through a scheduled job.

Review carefully before installing. Use only a revocable app-specific password, avoid using a primary account password, keep attachment downloads disabled unless filename handling is fixed, protect ~/.openclaw/email-monitor from other users and backups, and remove both the cron job and stored config when monitoring is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly instructs the agent to write configuration and state files to the local filesystem, yet no permissions are declared to make that capability explicit. Hidden or undeclared write behavior reduces transparency and can surprise users or bypass expected consent boundaries, especially because the written files include sensitive mailbox configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The description emphasizes mailbox setup and monitoring, but the body also enables attachment download and local state persistence without clearly surfacing those behaviors in the top-level description. That mismatch matters because attachment saving expands the data-handling scope and can introduce sensitive local file writes beyond what a user may reasonably expect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises automatic attachment downloads and local per-account storage, but gives no warning that the skill may write potentially untrusted files to disk or store sensitive email-derived data locally. In an email-monitoring context, this can expose users to privacy leaks, unsafe file placement, or accidental retention of confidential material if they enable the feature without understanding the risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to supply mailbox credentials or app passwords and enable continuous inbox monitoring, but does not explain how credentials are stored, protected, rotated, or what privacy exposure results from automated access to all incoming mail. Because email accounts often contain highly sensitive personal and business data, missing credential-handling and privacy guidance materially increases the risk of account compromise or unintended data exposure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill directs collection and storage of email credentials, including passwords, in a local config file without warning about sensitivity, encryption, or access controls. Plaintext credential persistence creates a direct account-compromise risk if the host is multi-user, backed up insecurely, synced, or later accessed by malware or another agent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The cron-creation step establishes recurring automated mailbox access, but the skill does not clearly warn that this creates persistent background access using stored credentials. Users may not appreciate that monitoring continues after the session ends, increasing risk from stale jobs, unattended data processing, and long-lived secret exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation shows a config example containing both the email address and app password, but it does not warn users against storing secrets in plaintext files, committing them to source control, or sharing them in logs/screenshots. In the context of an email-monitoring skill, those credentials grant direct mailbox access, so insecure handling can expose sensitive emails and potentially enable broader account compromise or abuse.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly instructs the agent to collect and persist mailbox credentials in a local config file. This is dangerous because it centralizes highly sensitive secrets in a predictable path, making theft or misuse straightforward for local attackers, malware, backups, or other tools with filesystem access.

Ssd 3

Medium
Confidence
88% confidence
Finding
After authenticating with stored credentials, the skill instructs the agent to display samples of fetched emails. Showing message contents can expose sensitive personal or business data in the chat interface, logs, screenshots, or to the wrong viewer if the session context is shared.

Session Persistence

Medium
Category
Rogue Agent
Content
- `"standard"` for B  
- `"<custom template string>"` for C

### Step 6 — Summarize and create cron job

Show a confirmation summary:
```
Confidence
93% confidence
Finding
create cron job Show a confirmation summary: ``` 📧 邮件监控配置确认 邮箱:<email> 检查频率:每 X 小时(cron: <expr>) 通知格式:<format> 下载附件:<yes/no>(保存至:<dir>) 确认后将创建定时任务。确认吗?(是/否) ``` After user confirms, create the cro

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal