ClawHub

Near Email Skill

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only NEAR email skill whose network, credential, attachment, send, read, and delete behaviors are disclosed and aligned with email use.

Before installing or using it, verify the maintainer and OutLayer/NEAR project, keep payment keys and NEAR private keys out of source code and client-side logs, use encrypted email for private content, and require explicit confirmation before sending attachments or deleting emails.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The skill metadata and description promise only send/read email behavior, but the documented API also exposes `delete_email`. That capability expansion matters because downstream agents or users may invoke a destructive operation they were not informed the skill supports, increasing the risk of unintended data loss or over-privileged use.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The attachment examples read local files from disk and immediately transmit their contents as email attachments, without any warning about exfiltration risk or consent boundaries. In an agent context, normalizing filesystem reads for a messaging skill can lead operators to unintentionally send sensitive local files off-host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example shows a payment credential being placed directly into code and sent as an HTTP header, but it does not warn users to treat the key as a secret, avoid hardcoding it, or store it in environment/secret managers. This creates a realistic risk that developers copy the example into production, commit secrets to source control, or expose billing authority to logs and client-side contexts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Documenting a `delete_email` action without warning that it is destructive can lead agents or integrators to call it as if it were a normal read/write operation. In an agent setting, unclear destructive semantics increase the chance of accidental mailbox modification or irreversible loss of user data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples show use of an X-Payment-Key credential but do not clearly warn that possession of this key grants billable API access and must be treated like a secret. This can cause developers to hardcode, log, or otherwise mishandle the credential, leading to unauthorized API use and account abuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The attachment examples demonstrate reading and sending local file contents without a clear warning that the files leave the machine and are transmitted to an external service. In agent workflows this can easily become accidental data exfiltration, especially if operators reuse the pattern with sensitive documents.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
OUTLAYER_API = "https://api.outlayer.fastnear.com"
PROJECT_ID = "zavodil.near/near-email"
PAYMENT_KEY = os.environ.get("OUTLAYER_PAYMENT_KEY", "your-account.near:nonce:secret")

# Send email (plaintext - simplest option)
def send_email(to: str, subject: str, body: str) -> dict:
Confidence
87% confidence
Finding
os.environ.get("OUTLAYER_PAYMENT_KEY", "your-account.near:nonce:secret

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal