ClawHub

Gmail Skill

Security checks across malware telemetry and agentic risk

Overview

This Gmail skill is mostly coherent, but it needs Review because it can run persistent mailbox-changing jobs, permanently delete email, and forward raw Gmail task output to WhatsApp.

Install only if you are comfortable granting broad Gmail control and sending Gmail task status/results to a configured WhatsApp recipient. Avoid the full-scope authorization unless permanent deletion is truly needed, verify the Gmail account and WhatsApp target before each background job, and prefer a revised version with no eval-based command runner, redacted notifications, dry-runs, in-script confirmations, restrictive token permissions, and a cancel command for background jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill sends progress and results over WhatsApp even though its stated purpose is Gmail management. That introduces an additional data flow to a third-party messaging channel, which can expose mailbox metadata or message-derived summaries outside the expected Gmail context.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The documentation expands the skill from mailbox operations into cross-channel result delivery without prominently framing that as a separate feature. Users activating a Gmail skill may not reasonably expect email-related outputs and progress updates to be transmitted via WhatsApp.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script sends operational details over WhatsApp even though the skill is presented as Gmail automation. That out-of-scope messaging channel creates an unnecessary data egress path and can expose task names, account identifiers, and workflow context to an external destination without clear justification.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script description says it will clean out Spam and Trash, but the implementation only removes the SPAM and TRASH labels via Gmail batch modify. In Gmail, removing those labels can return messages to the inbox or All Mail rather than deleting them, so users may believe sensitive or unwanted mail was purged when it was actually restored, creating privacy, retention, and workflow risks.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The user-facing output states that messages were "purged," but the code only removes labels. This is dangerous because operators may rely on the output as confirmation of deletion and stop investigating, while the messages remain accessible elsewhere in the mailbox, potentially reappearing in inbox views or being retained contrary to policy.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation trigger is overly broad, using generic terms like 'email' and 'inbox' that can cause the skill to activate in loosely related conversations. In a skill with destructive capabilities such as purging, deleting labels, and permanent deletion, over-triggering increases the chance of unintended invocation and unsafe follow-on actions.

Missing User Warnings

High
Confidence
96% confidence
Finding
Background execution sends progress and final results via WhatsApp, but the skill description does not clearly warn users that mailbox-derived information may be transmitted externally. This creates a significant privacy and compliance risk because sensitive operational details can leave the Gmail environment without informed consent.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill enables permanent deletion of messages when a full-scope token exists, but the user-facing warning does not strongly emphasize irreversibility. In a tool that already supports destructive background workflows, understated warnings increase the risk of accidental permanent data loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically transmits task status to WhatsApp before daemonizing and without any confirmation flow in the script. In a Gmail automation context, silently forwarding task context to an external messaging platform is dangerous because users may not expect cross-service sharing of account-related metadata.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The script reads account and notification identifiers from environment variables and later persists them in a registry file under the user's home directory. While not necessarily exploitable on its own, storing identifiers without access controls or disclosure increases local privacy risk and broadens exposure if the host is shared or compromised.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script performs destructive actions (trash or permanent delete) immediately after listing targets, with no confirmation prompt, dry-run mode, or explicit force flag. In a Gmail automation skill, this is especially dangerous because a typo in the label/date or use of a full-scope token can irreversibly delete large volumes of email with no user checkpoint.

Ssd 3

High
Confidence
99% confidence
Finding
On completion or failure, the script sends the last 50 lines of the task log to WhatsApp. Gmail task logs can easily contain message subjects, addresses, labels, account details, or error traces with sensitive content, so this behavior creates a direct exfiltration channel to an external chat target.

Ssd 3

Medium
Confidence
90% confidence
Finding
The initial status message includes the Gmail account identifier and task name, disclosing account context to the configured WhatsApp recipient. In the context of a Gmail skill, this external disclosure is more dangerous because it links email account activity to an outside communication channel that may be poorly controlled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal