ClawHub
Back to skill

Security audit

Ai Intelligent Email Automation

Security checks across malware telemetry and agentic risk

Overview

This email automation skill is purpose-aligned but needs review because it advertises bulk sending, inbox access, auto-replies, tracking, and running external code without clear safeguards or reviewed implementation.

Review carefully before installing. Use only a trusted, pinned source; avoid connecting a personal or broad mailbox; require manual approval for sending and auto-replies; verify recipient consent and unsubscribe handling; and confirm how tracking data, templates, credentials, and mailbox contents are stored or deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The skill is described with very broad capabilities like sending, receiving, and analyzing email, but it does not define activation conditions, authorization boundaries, recipient constraints, or what data sources it may access. In an agent setting, this ambiguity can enable unintended high-impact actions such as bulk outbound messaging or mailbox access without clear user confirmation, increasing the risk of misuse or overreach.

Missing User Warnings

High
Confidence
94% confidence
Finding
The documentation advertises sending, receiving, analyzing, classifying, auto-replying to, and tracking emails, all of which involve sensitive communications data and potentially external actions, yet it provides no privacy, consent, retention, or security warnings. This is dangerous because users may enable the skill without understanding that it can process mailbox contents, contact data, and behavioral tracking information, creating significant privacy, compliance, and abuse risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal