Skillv1.0.0

ClawScan security

Email Excel Transfer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 7:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described purpose (download IMAP attachments and populate Excel via PowerShell) mostly matches its instructions, but it asks for user credentials and to send files to an internal MCP bridge without declaring those requirements in metadata — that mismatch and the bridge-based remote PowerShell execution are concerning.
Guidance: Before installing, confirm you trust the skill author and understand where credentials and files will go. Specific actions to consider: - Ask the maintainer to declare required env vars (USER_EMAIL, USER_APP_PASSWORD) in metadata so you know what you'll be asked to provide. - Prefer using an app-specific IMAP password or a throwaway account, not your primary mailbox password. - Verify the MCP bridge endpoint (http://172.17.0.1:3001/mcp) is a trusted internal service in your environment — this endpoint can write files and execute PowerShell on a Windows host, which is high privilege. - If possible, test with non-sensitive emails/attachments on an isolated VM before giving real credentials or permitting remote execution. - Review and limit the PowerShell commands that will be executed; avoid allowing arbitrary shell_ps calls that could run unexpected code. If you cannot verify the bridge or do not want to share email credentials, do not install or use this skill.

Review Dimensions

Purpose & Capability: noteThe name/description match the instructions: the SKILL.md shows IMAP download, XLSX parsing, and PowerShell-based Excel edits. However, the skill requires user email credentials (USER_EMAIL, USER_APP_PASSWORD) and access to a Windows host for COM automation, but the registry metadata lists no required environment variables or primary credential — an inconsistency between claimed purpose and declared requirements.
Instruction Scope: concernRuntime instructions tell the agent to log into IMAP with user-supplied credentials, save attachments to /tmp, parse XLSX, then transfer files to a Windows host and run PowerShell COM to edit Excel. The SKILL.md also demonstrates sending base64 payloads to an internal MCP bridge (http://172.17.0.1:3001/mcp) and invoking a remote shell_ps tool. That bridge/JSON-RPC execution path grants the ability to write files and run arbitrary PowerShell on another host — legitimate for the stated transfer task but high-impact and not restricted or explained.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. Nothing is written to disk by the skill itself before runtime, which lowers install-time risk.
Credentials: concernThe instructions require sensitive secrets (email address and app password) and access to an internal MCP bridge that can execute PowerShell — yet the skill metadata declares no required env vars or primary credential. Requiring these credentials is reasonable for IMAP access, but the omission in metadata is a transparency issue. The MCP bridge endpoint (172.17.0.1) is an internal address and using it to execute PowerShell increases the trust and privilege needed.
Persistence & Privilege: okThe skill is not marked always:true and has no install-time persistence. It does instruct use of a remote execution bridge, but it does not request permanent inclusion or to modify other skills/configs.