ClawHub

smtp-sender

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward SMTP email-sending skill, but users must review recipients and file paths because it can send chosen local files outside the machine.

Install only if you are comfortable letting an agent send email through the configured SMTP account. Use a dedicated low-privilege SMTP credential, enable TLS where possible, secure smtp-config.json permissions, and review the recipient, subject, body source, and every attachment path before sending. Do not rely on the advertised retry, logging, or markdown-conversion features unless the implementation is updated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation describes use of a local SMTP configuration file, which implies file-read capability, but it does not declare that permission explicitly. Undeclared file access weakens transparency and consent boundaries for users and automated policy systems, especially for a network-capable skill that may combine local data with outbound email transmission.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior does not match the reported code capabilities: the code can read arbitrary local files for the message body while advertised features like markdown support, retry logic, and logging are overstated or absent. This mismatch is dangerous because users may authorize a simple mail-sending skill without realizing it can ingest unintended local files and transmit their contents externally.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends data to external mail infrastructure but omits an explicit warning that recipients, message content, attachments, and possibly credential-related metadata will leave the local environment and may be retained in logs or by SMTP providers. In a skill that handles attachments and local configuration, this omission increases the risk of accidental data exfiltration and unsafe use with sensitive files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This skill logs into an SMTP server and sends email over the network without any consent, disclosure, or confirmation mechanism visible to the user. In an agent setting, that creates a real exfiltration channel because prompts, generated content, or other sensitive data can be transmitted externally using stored credentials with little user awareness.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The attachment handling reads arbitrary local file paths and sends their contents as email attachments, which can directly exfiltrate local secrets if an agent or caller supplies sensitive paths. This is especially dangerous in a skill whose purpose is network transmission, because the file-read capability is immediately coupled to an external delivery channel.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal