ClawHub

每日网销数据排名分析

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for a real email-based sales ranking report, but it needs review because it automatically uses mailbox credentials and disables TLS certificate verification.

Install only if the mailbox owner or administrator has authorized this exact use. Remove the disabled TLS certificate verification, use a dedicated least-privilege app password or secret manager, keep the dependent email skill trusted and up to date, and enable cron or Standing Orders only where ongoing automated mailbox access is intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill performs network-backed mailbox access through a dependent email skill, but the manifest does not declare permissions or clearly surface that capability. This creates a transparency and governance gap: users and policy systems may not realize the skill can access remote email data and external services.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to match normal conversation about rankings or sales performance, which can cause the skill to activate unexpectedly. In this skill's context, accidental activation is more dangerous because execution reads mailbox contents and analyzes potentially sensitive business data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The description explains setup details but does not provide a prominent user warning that the skill automatically reads mailbox contents using configured email credentials. Because the mailbox contains business reporting data and the skill can auto-run on cron, lack of disclosure materially increases the risk of unauthorized or unexpected access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads IMAP credentials from a discovered .env file and uses them to access a mailbox, but there is no visible disclosure, consent gate, or scope limitation in the script itself. In an agent-skill context, silent credential use against a user's email account is sensitive because it enables access to mailbox contents beyond what a user may expect from a ranking-analysis request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code fetches full email bodies from INBOX and parses both text and HTML content for all matching messages from the sender, without any user-facing warning or runtime confirmation. This is dangerous in a skill because mailbox content is highly sensitive, and the fetch scope could expose unrelated data embedded in messages, attachments, or forwarded content.

Credential Access

High
Category
Privilege Escalation
Content
## 配置要求

1. IMAP 邮箱连接(在 imap-smtp-email-chinese/.env 中配置)
2. Standing Orders(写入 AGENTS.md):授权自动执行
3. Cron 定时任务(工作日 09:35 BJT):自动触发
Confidence
89% confidence
Finding
.env

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal