ClawHub

Exmail MCP Setup

Security checks across malware telemetry and agentic risk

Overview

This skill is an email connector, but it quietly adds email-sending power and disables TLS checks while handling mailbox credentials.

Review this carefully before installing. Only use it if you are comfortable giving the connector persistent access to your Exmail account, including the ability to send email as you. Prefer a version that removes send_email unless you explicitly need it, keeps TLS certificate verification enabled, and stores or rotates the auth code securely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs the agent to handle environment variables containing email credentials and to deploy a network-connected MCP server, yet it declares no permissions. That mismatch weakens user visibility and policy enforcement, making it easier for a skill with credential and network access to operate without appropriate scrutiny.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The instructions set `NODE_TLS_REJECT_UNAUTHORIZED` to `0`, which disables TLS certificate validation for the email connector. This permits man-in-the-middle interception of mailbox credentials and email contents, especially dangerous because the skill handles sensitive enterprise email access.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says this connector is for connecting exmail to read and search emails, but the tool list also exposes a send_email capability. That creates a privilege/scope mismatch: an agent or user enabling what appears to be a read-only mail integration would also grant outbound email capability, enabling impersonation, phishing, spam, or unauthorized external communications from the mailbox.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code constructs an SMTP transporter and sends mail using stored mailbox credentials even though the stated purpose is setup for reading and searching exmail. This unjustified capability materially increases risk because any caller with access to the MCP tool can cause external side effects and send messages as the configured account.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill not only disables TLS certificate verification but presents it as a normal fix, without any warning about the security consequences. In the context of an email connector carrying authentication secrets and message content, this materially increases exposure to credential theft and traffic interception.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill asks for an email address and client-specific auth code, then later stores those secrets in `mcp.json` environment configuration, but gives no explicit guidance on secure storage, local exposure, or credential rotation. Even though a client-specific password is better than a primary password, it still grants mailbox access and should be treated as a sensitive secret.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The send_email tool performs an irreversible external action without any built-in confirmation, approval, or user-warning mechanism. In an agent setting this is dangerous because prompt injection, tool misuse, or misunderstanding could trigger unintended outbound emails, causing data leakage, reputational harm, or social-engineering abuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal