ClawHub

SZZG007 Product Promotion

Security checks across malware telemetry and agentic risk

Overview

This marketing-email skill is coherent in purpose, but it embeds SMTP credentials and can send outbound email with weakened TLS protections.

Review carefully before installing. Do not use the bundled email sender as-is: remove and rotate the exposed SMTP credential, require your own scoped SMTP credentials, restore normal TLS verification, preview generated content, confirm recipient and subject before every send, and verify you have rights to use downloaded product images and send marketing email to recipients.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 使用 curl 下载
            cmd = ['curl', '-L', '-sS', '-o', str(filepath), url]
            result = subprocess.run(cmd, capture_output=True, timeout=30)
            
            if result.returncode == 0 and filepath.exists():
                size = filepath.stat().st_size
Confidence
93% confidence
Finding
result = subprocess.run(cmd, capture_output=True, timeout=30)

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The script explicitly disables TLS certificate and hostname verification for SMTP over SSL, which makes the connection vulnerable to man-in-the-middle interception despite using SMTPS. Because the same script also contains live SMTP credentials and sends real email, an attacker on the network path could impersonate the mail server and capture credentials or message contents.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README instructs users to place SMTP credentials, including the password, into a local env file but provides no warning about protecting that file, restricting permissions, or avoiding accidental commits. In a skill centered on automated email sending, this increases the chance of credential leakage, which could enable unauthorized mail use, account compromise, or abuse of the SMTP service.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrasing is overly broad and can overlap with ordinary user requests such as '处理这个商品', increasing the chance that the skill activates without the user clearly intending to run image scraping, local file writes, or email-generation actions. In this skill, accidental activation is more dangerous because execution can lead to automated web fetching and persistence of data into a local asset library, with a later path to outbound email sending.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description advertises automatic extraction of product images and saving them into a local materials library, but does not prominently warn users that it will fetch remote content and write files to disk. This matters because users may supply URLs without realizing the skill performs scraping/download behavior and persists third-party content locally, which raises privacy, storage, and compliance concerns.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill supports directly sending marketing emails but does not require an explicit approval step or clearly warn about the risks of outbound email actions. This is dangerous because a mistaken or coerced invocation could cause unauthorized messages to be sent using configured SMTP credentials, creating abuse, spam, reputational damage, and potential regulatory exposure.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The manifest explicitly advertises automatic extraction of product images, archival to a material library, and direct email sending, but provides no warning, consent flow, or safety constraint around scraping, storing third-party content, or sending outbound communications. In a skill that automates external network access and messaging, omission of user-notice and confirmation language increases the risk of privacy violations, unauthorized outreach, and accidental policy violations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Listing 'supports direct email sending' as a feature without any mention of confirmation, recipient validation, or outbound-communication safeguards normalizes potentially sensitive behavior as a one-step action. In a marketing automation context, this can facilitate spam, misdelivery, or unauthorized messaging if downstream code implements sending without strong user approval controls.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The documentation presents outbound promotional email sending as a straightforward workflow without prominently warning about external network actions, recipient mistakes, compliance obligations, or the risk of sending unreviewed generated content. In a skill that automates extraction and email generation, this can lead to unintended email transmission, reputational harm, spam/compliance issues, and accidental disclosure if users assume the action is only a draft operation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill performs outbound network fetches and stores remote content locally without explicit warning or confirmation. In this context, user-supplied product URLs are expected, so silent downloading increases risk of contacting malicious infrastructure, retrieving unexpected content, or enabling SSRF-like access patterns when image URLs become dynamic.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The file contains hardcoded SMTP username and password and immediately uses them to authenticate and send outbound email. Embedded credentials are highly sensitive secrets: anyone with access to the code can reuse the account for unauthorized email sending, account takeover, spam, or further abuse, and the outbound behavior increases the operational risk in an agent skill context.

Known Vulnerable Dependency: openclaw==2026.2.0 — 10 advisory(ies): CVE-2026-32064 (OpenClaw's andbox browser noVNC observer lacked VNC authentication); CVE-2026-32006 (OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallbac); CVE-2026-41913 (OpenClaw: Concurrent async auth attempts can bypass the intended shared-secret r) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
openclaw==2026.2.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal