ClawHub

PayLessTax Email Campaign

Security checks across malware telemetry and agentic risk

Overview

This is a real bulk email automation skill, but it uses powerful Gmail access and lacks enough controls for scheduled mass sending and inbox/contact handling.

Install only if you control the Google Workspace domain and mailing list, have consent to contact recipients, and can safely administer the delegated service account. Before running, use a dedicated sending mailbox, reduce Gmail permissions where possible, disable or tightly scope inbox contact scraping, add a dry-run/approval step, enforce durable daily limits, and implement a real unsubscribe suppression list.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises operational behavior that clearly requires file read/write and network access, but it does not declare any permissions. This creates a transparency and least-privilege problem: operators may approve or run the skill without understanding that it can access local mailing lists, credentials, and external services. In an automation context handling Gmail and contact data, undeclared capabilities increase the chance of overbroad access and misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose presents the skill as a simple outbound email scheduler, but the behavior includes inbox scanning, unsubscribe detection, and Gmail modify access. That mismatch is security-relevant because it conceals mailbox read/modify capability and data processing beyond sending, which could expose sensitive email content or allow unintended mailbox changes. The use of domain-wide delegation makes this more dangerous because the granted authority may extend broadly across organizational mailboxes.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s stated purpose is outbound email automation, but it also queries the mailbox for inbound bounce and unsubscribe messages. Even though this is operationally related to campaigns, it expands data access into mailbox contents without clear justification or user disclosure, increasing privacy and scope-creep risk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The code requests Gmail modify scope, which grants the ability to read and alter mailbox state, while the primary function is sending campaign emails. This exceeds least-privilege for a sending tool and creates unnecessary risk if the skill or its credentials are misused, including mailbox tampering or broader message access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly states it will scrape inboxes for new contacts, but provides no warning or consent framework for the privacy and data-collection implications. Harvesting contacts from mailbox content can capture personal data from correspondents who never agreed to marketing use, creating privacy, compliance, and reputational risk. In a bulk-email campaign skill, this behavior materially increases the likelihood of abusive or non-compliant outreach.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script performs bulk transmission of recipient data to Gmail and also inspects mailbox messages for unsubscribe and bounce handling, but there is no explicit consent, warning, or confirmation flow. In a mass-email context, that omission increases compliance, privacy, and user-surprise risk because operators may not understand that mailbox contents are being queried as part of execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal