ClawHub

Imap Idle Review

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate email-monitoring skill, but it handles mailbox credentials and forwards email previews to the webhook you configure.

Install only if you are comfortable granting access to the selected mailboxes and sending sender, subject, and short body-preview text to your configured webhook. Prefer keyring storage, run chmod 600 on any config file containing secrets, keep the webhook local or otherwise trusted, and ensure OpenClaw treats email contents as untrusted input.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The document makes an absolute assurance that traffic goes only to a 'local webhook,' but elsewhere it clearly supports arbitrary OpenClaw Gateway destinations including Docker, Kubernetes, and cloud VPS deployments. Misleading security documentation can cause operators to underestimate egress exposure and trust remote webhook targets without proper validation, increasing the risk of unintended data disclosure.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The listener fetches message text and sends subjects and body previews to a webhook, which materially expands data collection beyond simple new-mail signaling. This can leak sensitive email content, secrets, personal data, or internal notifications to another service or endpoint if the webhook is compromised, misconfigured, or not fully trusted.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code contains special-case handling for a specific personal account and GitHub mention patterns, which is unrelated to a general-purpose IMAP listener and suggests profiling of one user's mail stream. That increases suspicion because the skill behavior is customized around a particular inbox and extracts semantically meaningful notification content from emails.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill states it fetches email headers and a body preview, then sends batched events via webhook, but it does not clearly warn users that email-derived content may be transmitted to another endpoint. Even if the default webhook is localhost, this can expose sensitive sender, subject, or preview data to any configured receiver and should be clearly disclosed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The listener sends sender addresses, subjects, and body previews from incoming emails to a webhook endpoint, which can expose sensitive personal or business data outside the mailbox context. In an email-monitoring skill this behavior is expected, but it is still a real privacy/security risk because the code does not enforce minimization, redaction, or explicit consent before exfiltrating message content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The webhook payload includes sender, subject, and body preview content without any visible consent flow or prominent warning that email data will be disclosed to another endpoint. In the context of an email-monitoring skill, this makes accidental exfiltration of sensitive mailbox contents significantly more dangerous.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup script writes a JSON config containing the webhook token and, when keyring is unavailable or declined, IMAP account passwords in plaintext. These secrets are stored under a predictable path in the user's home directory without setting restrictive file permissions or providing a strong warning at save time, which increases the chance of credential disclosure through local access, backups, or accidental sharing.

Credential Access

High
Category
Privilege Escalation
Content
print(f"✅ Password stored in system keyring for {username}")
            # Don't include password in config
        except Exception as e:
            print(f"⚠️  Failed to store in keyring: {e}")
            print("Falling back to config file storage")
            account['password'] = password
    else:
Confidence
90% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
print()
        use_keyring = get_yes_no("Use keyring for password storage? (recommended)", True)
        if use_keyring:
            print("✅ Passwords will be stored in system keyring")
        else:
            print("⚠️  Passwords will be stored in config file (less secure)")
    else:
Confidence
88% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
print("⚠️  Passwords will be stored in config file (less secure)")
    else:
        print("\n⚠️  Keyring library not available")
        print("Install with: pip3 install keyring --user")
        print("Passwords will be stored in config file")
    
    # Accounts
Confidence
86% confidence
Finding
keyring

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal