Security audit

work-mail-notifier

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed QQ work-mail helper that reads, displays, and marks mail only through explicit local scripts, with privacy-sensitive behavior users should understand before use.

Install only if you are comfortable with this skill accessing QQ work-mail metadata, showing full selected email bodies, storing recent notification references locally, and marking selected messages as read. Review the configured himalaya account and folders before use, and clear the local OpenClaw workspace data files if you need to remove notification history.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill invokes local Python scripts that read and write files and execute via shell, yet it declares no permissions. This creates a transparency and governance gap: the agent may perform filesystem and command execution actions without the user or platform being explicitly informed, increasing the chance of unauthorized data access or unsafe execution in practice.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The script's behavior goes beyond passive notification and read-marking by retrieving and displaying full email bodies from stored references. In a work-mail context, message bodies commonly contain sensitive business data, so exposing them without an explicit access-control or consent check increases confidentiality risk.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger description is broad enough to match generic email-related requests, which can cause the skill to activate outside its intended QQ work-mail context. Over-broad activation increases the risk of unintended access to mail content or state-changing actions like marking messages as read when the user did not mean to use this specific skill.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill description omits clear notice that it continuously monitors mailbox folders and persists notification state to a local file. Lack of disclosure undermines informed consent and can expose sensitive email metadata or usage patterns on disk, especially in shared or unmanaged environments.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script fetches full email content and prints it directly to stdout, which can disclose confidential information into logs, terminals, transcripts, or calling systems. In an agent skill that handles work email, this context makes the issue more dangerous because the content is likely to include private or regulated business information.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal