ClawHub

Near Email Reporter

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned and not malicious, but users should handle SMTP passwords carefully because they are entered on the command line and saved locally.

Use an app-specific SMTP password, not your primary email password. Be aware that --pass may remain in shell history and ~/.near-email/config.json stores the credential locally; verify permissions and avoid using this on shared machines. Also test before relying on alerts, scheduled reports, or actual email delivery because those features are only partially implemented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that SMTP configuration, including credentials, is stored in a local config file, but it provides no warning about protecting that file, using restrictive permissions, or avoiding plaintext secret storage. This can lead users to store email passwords or app passwords insecurely on disk, increasing the risk of credential theft from local compromise, backups, or accidental disclosure.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill sends account reports and alerts through third-party SMTP infrastructure and to external email recipients, but the documentation does not clearly warn users that account-related data and message contents leave the local environment. This can lead to unintended disclosure of financial or operational information, especially if recipients, SMTP relays, or shared mailboxes are misconfigured.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup flow instructs users to pass SMTP passwords directly on the command line using --pass, which risks credential exposure through shell history, process listings, logs, and screenshots. Even if the configuration file later has restricted permissions, the initial credential entry method is insecure and can leak secrets to other local users or monitoring tools.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
SMTP credentials are collected from command-line arguments and then stored in plaintext JSON under the user's home directory. Even with file mode 0600, command-line secrets may be exposed through shell history or process listings, and plaintext local storage increases the chance of credential compromise from local malware, backups, or accidental disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal