ClawHub

Email Marketing

Security checks across malware telemetry and agentic risk

Overview

This skill is a real email-marketing tool, but it needs review because it can send bulk mail, read inbox contents, store email-derived data, bypass TLS verification, and intentionally alter messages to avoid spam filtering.

Install only after code review and only with a dedicated authorized mailbox and opted-in recipient lists. Remove the hidden anti-spam tag generation, restore normal TLS verification, add an explicit confirmation step before any live bulk send, and avoid retaining full inbound email bodies unless you have a clear privacy and retention policy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and operationalizes filesystem access, network use, and likely environment-variable use without any declared permission model or user-facing consent boundary. In a skill that sends bulk email and scans inbox contents, undeclared capabilities increase the chance of unauthorized data access, credential misuse, and external communications occurring without adequate review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior includes anti-spam evasion ('干扰指纹码' and human-delay simulation) and direct reply-sending capabilities that are not transparently framed as sensitive or risky operations. Evasion features materially increase abuse potential for spam/phishing campaigns, while hidden draft persistence and CLI-based sending expand the chance of stealthy or unreviewed outbound communication.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The SMTP reply path explicitly disables TLS certificate validation by setting check_hostname to False and verify_mode to CERT_NONE. This enables man-in-the-middle interception of mailbox credentials and email contents, which is especially risky because this skill handles inbound and outbound corporate email.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The function explicitly generates hidden HTML content described as intended to 'interfere with anti-spam scanning'. That is not a normal deliverability feature; it is a deliberate spam-filter evasion technique that can facilitate deceptive bulk messaging and increase the likelihood of abuse.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code comment frames the behavior as inserting an innocuous marker, but the inserted content is hidden HTML generated specifically to alter message fingerprints and evade filtering. Mislabeling risky behavior makes review harder and increases the chance that anti-abuse logic remains unnoticed in production.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Disabling certificate validation and hostname verification removes TLS server authentication, allowing man-in-the-middle interception of SMTP credentials and email contents. This can expose account passwords, recipient data, and message payloads, especially on untrusted or misconfigured networks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill performs bulk outbound messaging and automated inbox monitoring/reply generation, both of which affect personal data and external communications, yet it lacks clear warnings and consent language. This can lead users to enable behavior that processes customer emails or sends messages on their behalf without understanding privacy, compliance, and reputational risks.

Natural-Language Policy Violations

Medium
Confidence
78% confidence
Finding
Mandating automatic replies in the detected language without user choice can cause inappropriate or misleading communications, especially when language detection is wrong or when policy requires a fixed support language. In an automated email workflow, this reduces operator control over customer-facing messaging and can amplify mistakes at scale.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script establishes an outbound IMAP connection and processes mailbox contents, including sender, subject, and body data, without any user-facing notice, consent check, or access scoping. In an agent-skill context, this can quietly expose sensitive email metadata and content to automated processing, making the behavior more dangerous because mailbox access is highly privacy-sensitive and can reveal personal or business information.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The script persists reply and bounce statistics derived from mailbox contents to a local JSON file, including sender addresses, subjects, and bounce summaries. Storing this derived email data locally can create a secondary data exposure point if filesystem permissions are weak, the assets directory is shared, or the file is retained longer than necessary.

Missing User Warnings

High
Confidence
88% confidence
Finding
Running the script with the 'run' argument immediately sends live bulk email with no confirmation prompt, dry-run checkpoint, or recipient summary. In an email-marketing skill, this increases the risk of accidental mass mailing, unauthorized sends, privacy incidents, and policy-violating campaigns.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal