ClawHub

Email Bridge

Security checks across malware telemetry and agentic risk

Overview

Email Bridge is a coherent email-management skill, but it handles sensitive mailbox access, stored credentials, outbound sending, background monitoring, and notification forwarding.

Install only if you want OpenClaw to access and manage your mailbox. Protect ~/.email-bridge, prefer least-privilege OAuth or app-specific passwords, avoid putting secrets in shell commands, disable body/link/code notifications unless needed, stop the daemon when not in use, and review every outbound email before sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
message = self._format_notification(notification)
            
            self._log(f"Sending notification to OpenClaw: {len(details)} messages")
            result = subprocess.run(
                ["openclaw", "system", "event", "--text", message, "--mode", "now"],
                capture_output=True,
                text=True,
Confidence
93% confidence
Finding
result = subprocess.run( ["openclaw", "system", "event", "--text", message, "--mode", "now"], capture_output=True, text=True,

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill clearly performs sensitive operations—network access to mail providers, local file/database writes, and shell/CLI invocation—yet no explicit permissions are declared. This weakens trust boundaries and informed consent because users and orchestrators may enable the skill without understanding it can access mail, persist credentials, and invoke external commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The top-level description understates several materially sensitive behaviors: sending email, storing account/message data in SQLite, extracting links, and invoking `openclaw system event` via subprocess. A behavior-description mismatch is dangerous because it can mislead users and platforms about the real data flows and execution surface, especially where external notifications may expose email-derived content to another channel.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI exposes an outbound email sending capability that is not disclosed in the stated skill description. In an agent setting, hidden or under-declared side-effecting actions are dangerous because they expand the action surface from passive email management to active external communication, enabling data exfiltration, spam, or unauthorized messaging if invoked by a higher-level agent or prompt injection path.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
The daemon functionality reads local configuration and can forward email-derived notifications to OpenClaw, which extends the skill's effective data flow beyond the stated scope. This matters because users or orchestrators may assume the skill only manages local email state, while in practice it can relay message-derived content to another system.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This code sends email content to the OpenClaw CLI even though the skill description only mentions email management and notifications, not relaying message contents to another assistant/session. Because the forwarded data can contain sender details, subjects, body excerpts, and extracted verification codes, this creates an undocumented data-flow and confidentiality breach.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata describes inbound email management features, but this service also exposes outbound email sending. That capability expansion materially changes the trust boundary: an assistant granted this skill could transmit arbitrary content to external recipients, enabling spam, phishing, or unintended data exfiltration if higher-level authorization and consent checks are weak or absent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The design explicitly allows email body content and metadata to be pushed to OpenClaw, but the document does not describe any explicit consent flow, privacy notice, minimization, or per-field opt-in before transmitting potentially sensitive content. Because email may contain personal data, financial details, or one-time codes, forwarding it to an AI assistant or external event system creates a real privacy and data-handling risk even if this is an intended product feature.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger keywords include very common terms like 'email', 'mail', 'check email', and their Chinese equivalents, which overlap with ordinary conversation. In an agent setting, broad triggers can cause unintended skill activation, potentially leading to mailbox access, code extraction, or sending actions when the user did not explicitly intend to invoke this skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The notifications section shows that message previews and verification codes can be pushed into an OpenClaw system event channel, but the documentation does not prominently warn that this may expose sensitive email content to the assistant or downstream consumers. In a security context, forwarding OTPs, login alerts, or message snippets into another processing channel materially increases the risk of credential compromise and privacy leakage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The account-add command accepts arbitrary provider configuration JSON, including likely secrets such as passwords or tokens, without warning users about secret exposure risks. CLI-supplied secrets are often stored in shell history, logs, process inspection, or copied into insecure config paths, creating avoidable credential leakage opportunities.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The daemon start flow can enable forwarding email-derived notifications to OpenClaw without a strong runtime disclosure that message metadata or content may leave the local email bridge. In a tool handling potentially sensitive emails, silent forwarding materially increases confidentiality risk, especially if notification settings later include bodies, codes, or links.

Missing User Warnings

Low
Confidence
88% confidence
Finding
This method sends arbitrary user-provided content and recipient lists over SMTP with no visible authorization, confirmation, rate limiting, or policy validation in this code path. In an AI-assistant context, outbound messaging is high risk because prompt injection, tool misuse, or ambiguous user intent could cause unauthorized external communications, phishing, spam, or leakage of sensitive information.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list includes very generic terms such as "email", "mail", "check email", and Chinese equivalents that are common in ordinary conversation. This can cause the skill to activate in contexts where the user did not intend to grant email access, increasing the chance of unintended access to inbox contents, sending actions, or verification-code handling in a high-sensitivity domain.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The manifest advertises sensitive capabilities including email receive/send, background daemon behavior, notifications, and verification-code extraction, but provides no visible privacy notice, consent language, or safety constraints in the manifest. In this context, the lack of explicit warnings is risky because email accounts contain highly sensitive personal data and verification codes can be used to facilitate account takeover or bypass secondary authentication flows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to download OAuth client credentials and store both credentials and refresh/access tokens under predictable paths in the home directory, but it never warns that these files are sensitive secrets. If those files are exposed through weak filesystem permissions, backups, shared machines, or accidental commits, an attacker could reuse them to access the user's Gmail data and maintain persistent access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell users to place a Gmail app password directly into the skill configuration without any warning about secret handling. App passwords are long-lived credentials for SMTP access, so disclosure through shell history, config files, logs, screenshots, or backups could allow unauthorized email sending and abuse of the account.

Ssd 3

Medium
Confidence
96% confidence
Finding
The notification configuration states that message bodies can be included and verification codes can be extracted and pushed via system events to an AI assistant integration. This materially increases risk because OTPs, password reset links, and sensitive email text could be exposed to another component, logged, intercepted, or misused, potentially enabling account takeover or disclosure of confidential communications.

Ssd 3

High
Confidence
99% confidence
Finding
The daemon can include body previews and extracted verification codes from incoming emails in notifications sent to another AI session/process. This directly exposes highly sensitive content from untrusted inbound email, enabling credential/OTP leakage, account takeover assistance, and privacy compromise if the recipient process is logged, compromised, or accessible by other contexts.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal