ClawHub

QQ mail manager

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed QQ Mail management skill whose mailbox access, sending, attachment, and move/delete capabilities match its stated purpose, though users should treat it as having full delegated mailbox access.

Install only if you want the agent to access and manage the configured QQ mailbox. Use a dedicated QQ authorization code rather than your account password, keep it secret, revoke it when no longer needed, and carefully review recipients, attachment paths, and move/delete previews before confirming actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script can read arbitrary local files via --subject-file, --body-file, and especially --attachments, then transmit their contents over SMTP to external recipients. In an agent skill context, this expands the capability from mailbox management into local file exfiltration, which is dangerous if an attacker can influence file paths or prompt the agent to include sensitive files.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger conditions include broad natural-language phrases like viewing, searching, managing, or sending mail, which can cause accidental invocation in ambiguous conversations. Because this skill can read mailbox contents and perform destructive actions like move/delete/send, unintended activation increases the risk of privacy exposure or mistaken email operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to provide and then rely on automatic injection of a QQ mailbox authorization code, but it does not clearly emphasize that this code is a sensitive long-lived credential equivalent to mailbox access. Storing it in environment variables and auto-injecting it without security guidance increases the risk of credential exposure through logs, misconfigured runtime environments, shell history, process inspection, or accidental disclosure in debugging and support workflows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This script retrieves full email metadata, message bodies, and attachment names from a live mailbox and prints them as JSON, which can expose highly sensitive personal or business data to downstream agents, logs, or users. In the context of an email-management skill this access is functionally expected, but it is still a real privacy/security risk because there is no apparent minimization, consent check, redaction, or warning before returning mailbox contents.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script logs into a user's QQ mailbox, fetches message headers and body previews, and outputs them as JSON specifically for downstream semantic analysis. That creates a real privacy and data-exposure risk because potentially sensitive email content is transferred to another processing layer without any explicit user-facing notice, consent checkpoint, or minimization beyond a simple length cap.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal