ClawHub

UniOne Email API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only UniOne email API skill with disclosed email, tracking, webhook, and analytics features, but users should handle recipient activity data carefully.

Install only if you intend to let an agent operate your UniOne account. Require manual review before sends, webhook changes, deletions, suppression changes, project creation, or event exports; use a least-privileged API key if available; never paste or log the full key; and treat tracking, webhook, and event-dump data as potentially sensitive recipient activity data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill promotes open and click tracking without warning about privacy, consent, or legal requirements. In an email-sending skill, this materially increases risk because operators may enable surveillance features on recipients without understanding compliance obligations or the sensitivity of engagement data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Webhook setup sends recipient activity events to an external URL, but the documentation does not warn that this transfers potentially sensitive behavioral data outside UniOne. That omission can lead to unintended disclosure to third-party systems or insecure endpoints, especially in a skill centered on bulk email analytics and event processing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Event-dump export can produce large datasets of email event history, yet the skill provides no warning about the sensitivity or volume of exported data. In context, this capability could facilitate broad disclosure of recipient metadata, campaign activity, and engagement records if downloaded or stored insecurely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal