ClawHub

MailClaw

Security checks across malware telemetry and agentic risk

Overview

MailClaw appears to be a legitimate Gmail automation skill, but its recurring mailbox access and under-scoped host-invoked runbook behavior warrant review before installation.

Review this carefully before installing. Only use it if you are comfortable giving MailClaw's backend ongoing access to Gmail-derived data, storing a local API key, and letting scheduled tasks poll your mailbox. Confirm that you can disable heartbeat jobs and revoke the API key/OAuth grants, and avoid relying on host-injected runbook behavior unless your platform constrains it to the bundled read-only digest flow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill explicitly states that host-initiated instructions injected into the user-message slot should be followed exactly and can override the normal conversational flow. That creates an instruction-priority inversion where untrusted or weakly authenticated host content can bypass the skill's own confirmation, intent-validation, and safety constraints, enabling unintended actions such as email sends, rule changes, or action execution.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill instructs the agent to read an API key from local configuration and use it to fetch email data from a server, but it provides no user-facing notice, consent step, or privacy boundary around accessing potentially sensitive mailbox metadata and summaries. Even if the server-side analysis is legitimate, this workflow can expose private email information and normalize silent credential use and network retrieval without transparency.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger phrase "Check my email" is extremely broad, natural, and likely to overlap with ordinary user conversation. In assistant ecosystems that activate skills from natural-language matching, this can cause unintended invocation of a skill that has access to Gmail data and email actions, increasing the chance of accidental data exposure or unintended email operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly describes automatic server-side email analysis, minute-level polling, and scheduled daily digests, but does not prominently warn users that email contents may be continuously processed and acted on after setup. In the context of a Gmail automation skill handling sensitive communications, this lack of transparency can lead users to authorize persistent background processing without fully understanding the privacy and operational consequences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The setup instructs the agent to create recurring Gmail polling and digest jobs after initial OAuth, but it provides no user-facing disclosure, consent renewal, or controls for ongoing access to email-derived data. This creates persistent background processing of sensitive communications, increasing privacy risk and the chance users do not realize their Gmail data continues to be accessed and summarized over time.

Ssd 1

High
Confidence
99% confidence
Finding
The skill treats host-injected instructions placed in the user message as authoritative and says they override the default flow for that turn. This allows an external instruction source to bypass user-driven consent and safety checks, creating a confused-deputy condition where the skill may perform powerful actions under the guise of normal operation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal