ClawHub

Custom Smtp Sender

Security checks across malware telemetry and agentic risk

Overview

This email sender mostly matches its purpose, but it uses stored SMTP credentials to send arbitrary local file content without strong scoping or confirmation, and its documentation overstates safeguards.

Review before installing. Use a dedicated low-privilege SMTP/app password, keep the config file locked down, and only run this after checking the exact recipient, subject, body source, and attachment paths. Do not rely on the advertised retry, logging, or markdown conversion features unless the implementation is updated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill explicitly relies on reading a local SMTP configuration file from `/home/bb/.openclaw/smtp-config.json`, which is a file-read capability, yet no corresponding permission is declared. Undeclared access to local files weakens user visibility and reviewability, especially because the file contains sensitive credentials that enable outbound network actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
A description-behavior mismatch is security-relevant here because the skill reportedly reads arbitrary local files through a `body_file` parameter while presenting itself primarily as a simple email sender. Hidden or undocumented file-read behavior can be abused to exfiltrate local data over email, and overstated claims about markdown, retries, and logging further reduce trust and make operator review less reliable.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
This skill sends message content and attachments over the network using stored SMTP credentials, but the description does not clearly warn users about that data flow or the sensitivity of attached/local content. In a skill designed for email transmission, missing disclosure increases the chance that users unknowingly transmit sensitive files or secrets, particularly since the skill references credential storage and attachment support.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill can send emails and arbitrary file attachments immediately using preconfigured SMTP credentials, with no built-in confirmation, recipient allowlist, or attachment restrictions. In an agent-skill context, that materially increases the risk of silent data exfiltration, spam, or misuse if another component invokes it with attacker-controlled inputs.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The code automatically reads SMTP credentials from a fixed local configuration path and uses them to authenticate without any disclosure or consent at execution time. In a skill environment, this lowers the barrier for unauthorized outbound communication because any caller that can trigger the skill may be able to leverage stored secrets to send email as the configured account.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal