ClawHub

email-marketing

Security checks across malware telemetry and agentic risk

Overview

This bulk email skill needs review because it can send at scale, read inbox contents, store email data locally, and includes deliberate spam-filter evasion behavior.

Install only after reviewing and removing the hidden anti-spam interference behavior. Use a dedicated mailbox with revocable app-specific credentials, send only to consented recipients, test with a very small list, avoid printing secrets, and protect or regularly delete local JSON files that may contain private email content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill instructs the agent to read local files, access environment variables, write logs, and send/receive email over the network, but it does not declare any permissions or present those capabilities transparently. This creates a consent and policy gap: a user may invoke the skill without understanding that it can access inbox contents, recipient lists, SMTP credentials, and persist marketing/reply data locally.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The README explicitly advertises anti-spam evasion behavior via '指纹码干扰扫描', which is not necessary for ordinary email marketing and can facilitate deceptive bulk messaging that bypasses recipient protections. In the context of a mass-mailing skill, documenting built-in evasion increases abuse potential for spam campaigns and undermines compliance controls.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The best-practices section normalizes interference with spam scanning as a recommended operational behavior, which crosses from legitimate deliverability advice into evasion of abuse-detection systems. Because this skill is designed for bulk outreach, such guidance materially lowers the barrier to misuse for unsolicited or deceptive campaigns.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function and comments explicitly describe generating a hidden HTML tag to interfere with spam scanning, and the implementation appends invisible content to every outgoing message. In an email-marketing skill, this is not required for legitimate delivery and instead enables spam-filter evasion, increasing the likelihood of abusive bulk mailing and reputation damage.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code appends a randomly generated invisible HTML block to each email immediately before sending, creating per-message obfuscation intended to reduce spam-filter correlation. This is a direct spam-evasion capability and is especially dangerous in a bulk sender because it facilitates large-scale unsolicited email campaigns.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README describes bulk sending, inbox scanning, unread-email processing, FAQ matching, and automated replies without corresponding privacy, consent, retention, or mis-send warnings. In a tool that processes recipient lists and mailbox contents, omission of these safeguards can lead to unauthorized data processing, accidental disclosure, or noncompliant automated communications.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises automatic inbox scanning and intelligent reply monitoring without an explicit privacy warning about processing incoming email content and sender data. Because inbox messages can contain sensitive personal or business information, silent monitoring increases the risk of unauthorized data handling and unexpected exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The operational steps describe test sending, full bulk sending, reply processing, and statistics/log generation, but they do not clearly warn users that the skill will transmit bulk email and modify local files such as status logs and reply statistics. Absent that disclosure, users may unintentionally trigger mass outbound communication or local data changes with reputational, compliance, and operational consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code retrieves unread emails, extracts full message bodies, prints summaries, and persists message content plus drafted replies into a local JSON file without any consent, minimization, retention control, or user-facing disclosure. In an email-marketing skill, this increases privacy risk because inbound customer communications may contain personal or sensitive business data that is unnecessarily stored and exposed to local compromise or misuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The function sends outbound replies over SMTP and can be invoked from the command line, but there is no confirmation, approval workflow, or user-facing warning that messages will be transmitted to external recipients. In this skill context, automated email sending is expected functionality, but lack of explicit authorization and review can still cause unintended outbound communication, privacy leakage, or reputational harm.

Missing User Warnings

High
Confidence
89% confidence
Finding
The script can send bulk email to all addresses in a spreadsheet using stored SMTP credentials with only a CLI flag separating test and production behavior, and without any interactive confirmation, consent verification, or approval gate. In this skill context, that makes accidental or unauthorized mass transmission much more dangerous because recipient data is operationalized immediately at scale.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script writes email send results, including recipient addresses in the failed list, to a local JSON file without retention controls or access restrictions. This creates a local privacy leak and operational data exposure risk, especially on shared systems or when logs are collected by other tooling.

Ssd 4

Medium
Confidence
94% confidence
Finding
The skill explicitly promotes fingerprint interference and human-like delays to reduce spam detection, which goes beyond deliverability hygiene and veers into evasion of email safety controls. In the context of bulk email automation, such guidance can facilitate abusive campaigns, bypass provider protections, and increase legal/compliance exposure.

Ssd 4

Medium
Confidence
91% confidence
Finding
The troubleshooting section gives iterative advice for improving delivery when messages hit spam folders, including adjusting sending behavior and content to avoid filtering. In a bulk-mailing skill, that normalizes progressive evasion of anti-abuse safeguards and can be repurposed to sustain unsolicited or deceptive campaigns.

Ssd 2

Medium
Confidence
98% confidence
Finding
The comments and code describe concealed content inserted specifically to disrupt spam detection, which is a classic concealment tactic. Embedding this in a marketing sender normalizes deceptive behavior and materially increases abuse potential beyond legitimate email automation.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Email Marketing Skill - Python Dependencies

# Core email dependencies
pandas>=2.0.0
openpyxl>=3.0.0

# Email monitoring and auto-reply dependencies
Confidence
94% confidence
Finding
pandas>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Core email dependencies
pandas>=2.0.0
openpyxl>=3.0.0

# Email monitoring and auto-reply dependencies
imapclient>=2.3.0
Confidence
95% confidence
Finding
openpyxl>=3.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openpyxl>=3.0.0

# Email monitoring and auto-reply dependencies
imapclient>=2.3.0
email-validator>=2.0.0
Confidence
93% confidence
Finding
imapclient>=2.3.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Email monitoring and auto-reply dependencies
imapclient>=2.3.0
email-validator>=2.0.0
Confidence
93% confidence
Finding
email-validator>=2.0.0

Known Vulnerable Dependency: openpyxl — 2 advisory(ies): CVE-2017-5992 (Improper Restriction of XML External Entity Reference in Openpyxl); CVE-2017-5992 (Openpyxl 2.4.1 resolves external entities by default, which allows remote attack)

High
Category
Supply Chain
Confidence
96% confidence
Finding
openpyxl

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal