Trust Assessment
clawmail received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Untrusted External Script Execution During Setup, Facilitated Prompt Injection from Untrusted Email Content, Sensitive API Credentials Stored in Local File.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted External Script Execution During Setup The skill's setup instructions involve downloading and executing a Python script (`setup.py`) directly from an external URL (`https://clawmail.cc/scripts/setup.py`). This poses a critical supply chain risk. If the `clawmail.cc` domain is compromised, or if the script itself contains malicious code, executing it could lead to arbitrary code execution, credential harvesting, or data exfiltration on the user's system without prior review or verification. Strongly recommend reviewing the `setup.py` script manually before execution. For production environments, consider providing a cryptographic hash (e.g., SHA256) for the script to allow users to verify its integrity before execution. Ideally, package the setup process more securely, for example, by including the script directly within the skill package after thorough security review, or by using a trusted package manager. | LLM | SKILL.md:14 | |
| HIGH | Facilitated Prompt Injection from Untrusted Email Content The skill provides functionality to receive emails, including their subject and body content. The `SKILL.md` explicitly warns about 'Sender Validation' to prevent prompt injection from email content. If the host LLM is instructed to process the `subject`, `text_body`, or `html_body` of received emails without implementing the recommended sender validation or other robust sanitization, it could be vulnerable to prompt injection attacks where malicious email content manipulates the LLM's behavior. The skill itself does not perform this validation, leaving it to the user. It is critical that any LLM processing received email content *always* implements robust sender validation and content sanitization, as suggested in the 'Security: Sender Validation' section of the `SKILL.md`, before passing email content to the LLM for interpretation or action. The skill developer could consider adding a wrapper function that performs this validation by default to enhance security for users. | LLM | SKILL.md:120 | |
| MEDIUM | Sensitive API Credentials Stored in Local File The skill stores sensitive API credentials (`system_id`, `inbox_id`) in a local JSON file (`~/.clawmail/config.json`) which are then loaded and used as `X-System-ID` headers for all API requests. While this is a common pattern for API keys, it means these credentials are present on the local filesystem. If the system is compromised, or if file permissions are not properly secured, these credentials could be exposed to unauthorized entities. Ensure that the `~/.clawmail/config.json` file has appropriate restrictive file permissions (e.g., `chmod 600`) to prevent unauthorized access. For production deployments, consider using environment variables or a secure secrets management system instead of plain text files to store and retrieve sensitive credentials. | LLM | SKILL.md:29 |
Scan History
Embed Code
[](https://skillshield.io/report/e07c4a82729c25b3)
Powered by SkillShield