ClawHub

Openclaw Email Bypass

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it claims, but it gives an agent broad email-sending power through a public Google Apps Script relay while the relay code is missing from the reviewed package.

Review this before installing. Use only with an account you are comfortable sending automated email from, inspect or supply the missing Google Apps Script relay code, require an HTTPS Apps Script URL, use a long random token stored as a secret, rotate it if exposed, and add recipient/rate controls or per-send approval before allowing an agent to send messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly performs network access and reads sensitive environment variables (`GOOGLE_SCRIPT_URL` and `GOOGLE_SCRIPT_TOKEN`), but it does not declare corresponding permissions. That creates a transparency and policy-enforcement gap: users or hosting platforms may approve and run the skill without realizing it can exfiltrate data over the network or use secrets from the environment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README encourages agents to send emails, including job applications and alerts, through a self-hosted Google Apps Script relay but does not adequately warn about privacy, sensitive-data handling, recipient verification, logging exposure, or organizational policy/compliance risks. In an agent context, this omission can lead users to route personal, confidential, or regulated data through automated outbound email workflows without understanding the security and legal implications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The manifest explicitly advertises bypassing SMTP port blocks by routing mail through a Google Apps Script relay, but it does not warn users that email content and metadata will transit a relay layer outside normal direct SMTP delivery. That omission can mislead users about trust boundaries, privacy exposure, and policy/compliance implications, especially because 'bypass' language suggests evasion of network controls that may exist for security reasons.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide instructs users to deploy the Google Apps Script as a public web app with access set to 'Anyone' and relies solely on a bearer-style shared secret for protection. If the URL or token is leaked through logs, environment exposure, source control, or request history, an attacker could abuse the relay to send unauthorized email, potentially causing spam, impersonation, or account reputation damage.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal