ClawHub

ai-agent-email-skill

Security checks across malware telemetry and agentic risk

Overview

This is a high-authority email automation skill, but its mailbox access, sending, forwarding, and deletion capabilities are disclosed and match its stated purpose.

Install only if you intend to give an agent real mailbox authority. Use an app password or least-privilege OAuth where available, verify IMAP/SMTP/OAuth endpoints, keep secrets out of checked-in files and logs, and require explicit human approval before send, reply-all, forward, delete, expunge, folder delete, or bulk move actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The read operation is not purely read-only: after fetching the message with BODY.PEEK, the code explicitly issues STORE +FLAGS (\Seen), which changes server-side message state. This can mislead downstream users or automations that rely on unread status, and it creates a side effect that is not apparent from a function named as a read operation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents destructive mailbox actions like delete, move, rename, and expunge without prominent confirmation or safety guidance. In an agent setting, this can lead to accidental or prompt-induced irreversible mail loss or mailbox tampering, especially because expunge and folder deletion can be hard to recover from.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill enables sending, replying, and forwarding emails, including attachments, without any privacy, consent, or external-communication warning. In context, this is more dangerous because the tool can exfiltrate sensitive inbox content to arbitrary recipients or send unauthorized messages that appear to come from the user.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This handler performs irreversible mailbox deletion immediately after basic folder-name validation, with no in-code confirmation, soft-delete workflow, authorization guard, or policy check to ensure the caller intended a destructive action. In an agent skill context, where actions may be triggered from ambiguous prompts or automated workflows, this increases the risk of accidental or unauthorized deletion of entire mail folders and their contents.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This handler performs irreversible email deletion by setting the \Deleted flag and optionally expunging messages immediately, but the file contains no built-in confirmation, dry-run, policy gate, or additional authorization step for a destructive action. In an agentic context, where actions may be triggered from ambiguous prompts or chained workflows, this increases the risk of accidental or unauthorized mailbox destruction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The handler marks emails as read without any user-facing disclosure or explicit consent parameter, creating a hidden side effect in a sensitive email-management skill. In this context, that is more dangerous because agents may inspect mail automatically, causing unnoticed state changes that affect user workflows, triage rules, audit expectations, or other mailbox automations.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal