Back to skill

Security audit

Imap Idle Review

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate email-monitoring skill, but it handles mailbox credentials and sends email previews to a webhook the user configures.

Install only if you trust the configured webhook and are comfortable letting the skill monitor the selected mailboxes. Prefer keyring or a secrets manager, run chmod 600 on any config file containing passwords or tokens, avoid remote non-HTTPS webhooks, and remember that email previews may be passed into OpenClaw automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation instructs users to perform network operations and write configuration/service files, but the skill declares no permissions. That mismatch can cause operators or automation to grant trust without understanding that the skill persists configuration and establishes outbound/inbound communications, increasing the chance of unsafe deployment.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The listener exfiltrates more than a minimal event signal by transmitting sender, subject, and body preview text to the configured webhook. In an email-monitoring skill, this increases privacy and data-leak risk because sensitive email content can be forwarded to another service or endpoint if misconfigured, compromised, or non-local.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README's primary configuration example includes an IMAP password in plaintext, which normalizes insecure secret handling and can lead users to store mailbox credentials directly on disk. In the context of an email-listening skill that necessarily handles sensitive account credentials, this increases the chance of credential disclosure via weak file permissions, backups, shell history, or accidental sharing.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill includes sudo-based systemd installation and startup commands that create a persistent privileged system-level service, but it does not clearly warn the user that this changes boot behavior and system state. This is risky because users may copy-paste commands without realizing they are enabling long-lived execution of the listener.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The listener extracts email sender, subject, and up to hundreds of characters of body content, then forwards that data to a configured webhook. Even if intended for notifications, this creates a data-exfiltration path for potentially sensitive email contents, and the default example uses plain HTTP rather than HTTPS, increasing exposure if misconfigured.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code performs network transmission of email metadata and body previews without any nearby warning, consent gate, or safety check, which can lead operators to unknowingly forward sensitive communications. In this skill's context, the webhook is the core integration point, so silent forwarding materially increases confidentiality risk.

Credential Access

High
Category
Privilege Escalation
Content
# 2. Store passwords in keyring
python3 -c "
import keyring, getpass, json
from pathlib import Path

config_path = Path.home() / '.openclaw' / 'imap-idle.json'
Confidence
80% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
for account in config['accounts']:
    username = account['username']
    password = account['password']
    keyring.set_password('imap-idle', username, password)
    print(f'✅ Stored password for {username}')
"
Confidence
84% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
for account in config['accounts']:
    username = account['username']
    password = keyring.get_password('imap-idle', username)
    if password:
        account['password'] = password
        print(f'✅ Restored password for {username}')
Confidence
77% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
self.logger.debug(f"🔐 Using keyring password for {username}")
                    return password
            except Exception as e:
                self.logger.warning(f"⚠️  Keyring access failed for {username}: {e}")
        
        # Fall back to config file
        password = account_config.get('password')
Confidence
88% confidence
Finding
Keyring

Credential Access

High
Category
Privilege Escalation
Content
self.logger.debug(f"🔐 Using keyring password for {username}")
                    return password
            except Exception as e:
                self.logger.warning(f"⚠️  Keyring access failed for {username}: {e}")
        
        # Fall back to config file
        password = account_config.get('password')
Confidence
90% confidence
Finding
Keyring

Credential Access

High
Category
Privilege Escalation
Content
print(f"✅ Password stored in system keyring for {username}")
            # Don't include password in config
        except Exception as e:
            print(f"⚠️  Failed to store in keyring: {e}")
            print("Falling back to config file storage")
            account['password'] = password
    else:
Confidence
90% confidence
Finding
keyring

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/listener_old.py:90

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/listener.py:90

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/setup.py:202

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
SECURITY.md:273