ClawHub

Simple Email

Security checks across malware telemetry and agentic risk

Overview

This is a real email helper with sensitive mailbox access, but its capabilities are disclosed and fit its stated purpose.

Install only if you are comfortable giving this skill access to the configured mailbox. Use app-specific passwords or authorization codes, keep .env private, set narrow allowed read/write directories, and review any outgoing email, attachment, attachment download, or read/unread mailbox change before allowing an agent to run it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The `testConnection()` function does more than verify SMTP connectivity: after `transporter.verify()` it sends an actual email to `SMTP_USER`. That creates an unintended side effect for a command labeled as a test, which can surprise users, generate unwanted messages, and potentially leak that the account is active or trigger downstream automation.

Intent-Code Divergence

Low
Confidence
94% confidence
Finding
The comment and command description indicate a connection test, but the implementation also sends a message. This mismatch is security-relevant because operators may invoke the command expecting no external side effects, leading to accidental email transmission.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill handles highly sensitive mailbox credentials and can read and send real email, but the documentation does not prominently warn users about the privacy and account-security implications. Users may unknowingly connect personal mailboxes, exposing message contents, contacts, and authentication secrets to local storage or misuse.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation advertises attachment download and file-based body/subject input, which can read local files into outbound email or write attachment contents to disk, yet it does not clearly warn users about this file-system impact. In practice, this can lead to accidental disclosure of local files or unsafe writes to sensitive directories if users misunderstand the commands.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The download command writes email attachment content to the local filesystem based on user-supplied CLI input, but the script provides no explicit warning, confirmation, or higher-level disclosure that invoking this action will create files on disk. In an agent-skill context, silent file writes are security-relevant because an upstream agent or user may trigger persistence of untrusted email content without realizing it, increasing the risk of storing malicious payloads or sensitive data locally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The SMTP test path sends a real message without an explicit user-facing warning or confirmation. In an agent skill context, users may call `test` assuming it is safe and non-mutating, but it actually performs an outbound action that can create audit, privacy, or workflow side effects.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes the supplied email username and password/app password directly into a local .env file, but it does not clearly warn the user beforehand that secrets will be persisted to disk. Although chmod 600 reduces exposure, credentials at rest can still be recovered by the local user, backups, shell history-adjacent workflows, or accidental inclusion in archives/repos.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
After creating the configuration, the script automatically performs IMAP and SMTP tests, including sending a test email, without asking for explicit consent at that stage. This can transmit credentials and email content over the network unexpectedly, which is risky in setup flows where users may only expect local configuration generation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal