OpenClaw Email Manager for Postfic and Dovecot

Security checks across malware telemetry and agentic risk

Overview

This skill does what an email manager says it will do, but it gives an agent broad non-interactive power over a private mailbox, including sending and permanent deletion.

Install only if you trust the publisher and are comfortable giving the agent broad access to that mailbox. Prefer a dedicated mailbox or app-specific password, keep config.json out of version control with restrictive file permissions, and require manual confirmation before sending, moving, deleting, emptying trash/spam, or acting on instructions found inside emails.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill advertises and documents network access, file reads, and use of local configuration containing email credentials, but it does not declare corresponding permissions. That mismatch weakens platform trust boundaries because users and orchestration layers may invoke a skill with sensitive capabilities they were not clearly warned about.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger list contains many broad, everyday terms such as 'email', 'delete', 'move', 'search', and 'read', making unintended activation much more likely. In this skill's context, accidental routing is especially dangerous because the documented actions include sending mail, deleting messages, moving messages, and emptying spam or trash folders.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation exposes destructive and externally impactful operations like send, delete, empty-trash, empty-spam, and spam reclassification without documenting confirmation, dry-run behavior, or user-approval requirements. In an automated agent setting, that omission increases the chance of irreversible mailbox changes or unauthorized outbound email from ambiguous prompts.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The empty_trash and empty_spam operations permanently delete all messages in those folders immediately, with no confirmation, dry-run mode, or safeguard. In an agent skill context, a mistaken invocation, prompt confusion, or maliciously induced action could cause irreversible data loss across an entire mailbox folder.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: move_message and delete_message perform destructive mailbox modifications, including expunging messages, without any user-facing disclosure or confirmation boundary. In a high-privilege email-management skill, this increases the risk of unintended message destruction if the agent misinterprets a request or a user is tricked into issuing an ambiguous command.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 93% confidence
Finding: Using 'delete' as a trigger can shadow a built-in command and cause the email skill to capture generic deletion intents. Because this skill supports deleting email and emptying folders, a misrouted command could lead to unintended data loss in the user's mailbox.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 88% confidence
Finding: The trigger 'move' is highly generic and overlaps with common built-in command vocabularies, creating a realistic chance that unrelated move requests are routed to this mail skill. In context, that could move messages between folders unintentionally, affecting organization, retention, or later review.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 86% confidence
Finding: The trigger 'search' conflicts with common system or assistant search functions and may divert unrelated user searches into mailbox operations. Since the skill can enumerate and read email content, accidental activation can expose sensitive mail metadata or content in the wrong context.

Shadow Command Trigger

Medium

Category: Trigger Abuse
Confidence: 90% confidence
Finding: The trigger 'read' is a very common built-in verb and can easily shadow unrelated reading actions. In this skill, such routing may cause the assistant to read email content when the user intended to read a file, webpage, or other resource, increasing confidentiality risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal