ClawHub

IMAP Mailbox

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This IMAP email skill is not clearly malicious, but it handles mailbox credentials and private email while disabling TLS verification and persisting email data in under-disclosed local workspace paths.

Review before installing. Only use this if you are comfortable giving it access to your mailbox credentials and private email. Prefer a fixed version that verifies TLS certificates, uses HTTPS npm registry URLs, narrows triggers, documents all local storage, and asks before saving email bodies, attachments, or digests to disk.

SkillSpector (8)

By NVIDIA

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill describes functionality that inherently requires network access to an IMAP server and likely access to locally stored credentials, yet it declares no corresponding permissions. This creates a transparency and policy-enforcement gap: users and the platform may not realize the skill can access email data and secrets, increasing the risk of unauthorized mailbox access or exfiltration if the implementation is abused or compromised.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The skill stores mailbox-derived state in a generic workspace memory path under ~/.openclaw/workspace/memory, which broadens exposure of email-related metadata beyond the IMAP feature's immediate needs. In an agent/workspace environment, other tools, skills, or users with local access may read these files and infer mailbox activity, creating unnecessary privacy leakage.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script exports full email bodies and attachments from IMAP into a local workspace directory, which broadens the data exposure surface beyond simply reading mailbox contents. Because it writes potentially sensitive material to a shared or tool-accessible workspace path, other processes, users, or later agent actions may access confidential email data without explicit user awareness.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are very broad for a highly sensitive domain: ordinary requests like checking email or reading inbox content could invoke this skill without sufficiently clear user intent. In the context of email access, accidental invocation is more dangerous than usual because it may expose private message contents, metadata, or attachments from a user's mailbox.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The digest feature writes email metadata to local markdown files without explicit user notice or consent, exposing sender, subject, date, and UID information on disk. In shared or agent-managed environments, this can leak sensitive mailbox content through filesystem access, backups, indexing, or downstream tools that scan the workspace.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script saves parsed email text to disk without any warning, prompt, or consent flow, which can expose sensitive message content to unintended local access. In the context of an email skill, mailbox data is especially likely to contain personal, financial, legal, or corporate information, making silent persistence more dangerous.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The lockfile pins package downloads to a specific third-party regional mirror over plain HTTP, which removes transport security and allows network attackers or compromised mirror infrastructure to tamper with tarballs in transit. Although npm integrity hashes provide some protection, using insecure transport and an undocumented non-default source still creates a software supply-chain risk and can also leak dependency requests to untrusted infrastructure.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
Additional dependencies are likewise locked to the same plain-HTTP regional mirror, expanding the attack surface across the dependency tree. In a skill that processes email and attachments, supply-chain compromise is especially concerning because a tampered dependency could gain access to mailbox contents, credentials, and downloaded attachment data.

Static analysis

Insecure tls verification

Warn
Finding
HTTPS certificate verification is disabled.

Insecure tls verification

Warn
Finding
HTTPS certificate verification is disabled.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal