ClawHub

TokenMail

Security checks across malware telemetry and agentic risk

Overview

TokenMail appears to be a real messaging skill, but it needs review because it handles private keys and sends email while using risky secret-handling and remote-code-loading patterns.

Install only if you are comfortable with a skill that can send email, read TokenMail inboxes, and use signing keys. Use disposable TokenMail identities, avoid real wallet mnemonics or valuable private keys, prefer a locally installed/pinned ethers dependency instead of the CDN fallback, do not echo or pass secrets on the command line when avoidable, and manually confirm recipients and message contents before sending.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs use of a Node.js CLI that can read secrets from environment variables and perform outbound email/network operations, yet the skill file does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent may invoke networked actions and consume sensitive env-based credentials without users or orchestrators having an accurate declared capability model.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
If the local ethers module is unavailable, the CLI fetches JavaScript from a remote URL and executes it with vm.runInNewContext. That creates a supply-chain and remote-code-execution path: anyone controlling the CDN, the configured URL, or network traffic can alter cryptographic behavior, exfiltrate secrets, or run attacker-controlled code in the process.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented `delete <agent> --force` command is destructive and appears without an adjacent warning about irreversibility, backup/export guidance, or confirmation expectations. In an agentic workflow, terse destructive commands can be executed mechanically, increasing the chance of accidental loss of account material or identity state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation describes sending and retrieving messages from a remote TokenMail service, including payloads, addresses, timestamps, and other metadata, but does not clearly warn users that this data leaves the local environment and is processed by an external API. In an agent/sandbox context, this omission can cause unintentional disclosure of sensitive message content, relationship metadata, and public-key identifiers to a third party.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The examples explicitly demonstrate sending external email and reading inbox contents, but they do not warn that message content, recipients, and metadata may leave the local sandbox and be exposed to third-party services or logs. In an agent skill, users may copy commands verbatim without realizing the privacy implications, which increases the chance of unintended data disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The send/inbox workflow uses a mnemonic-derived wallet and transmits signed requests plus address-linked message metadata to a remote service, yet the CLI provides no explicit warning that user secrets and sensitive communications are being used to authenticate against an external endpoint. In an agent-skill context, this increases the risk of users supplying highly sensitive mnemonics to a tool that communicates with a third-party server, leading to privacy loss, account correlation, and potential credential compromise if operators misunderstand the trust boundary.

Ssd 3

High
Confidence
98% confidence
Finding
The skill directs the agent to generate a temporary private key and print it in normal output, which is highly sensitive secret disclosure. Agent outputs are often logged, displayed in transcripts, copied into tickets, or exposed to other tools/users; leaking a private key can enable full impersonation of the identity and unauthorized message signing/sending.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal