Is apple-mail-search-safe safe?

https://clawhub.ai/gumadeiras/apple-mail-search-safe

78
CAUTION

This skill provides an AI agent with read access to the user's entire Apple Mail inbox via SQLite queries and AppleScript, which represents a significant sensitive data exposure surface. While no active exfiltration or prompt injection was detected, the inherent capability to search and read all email metadata and bodies makes this a high-value target for abuse. The required global npm install of an unaudited package adds code execution risk.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (9)

HIGH Full email database access -25

The skill provides direct SQLite access to Apple Mail's Envelope Index database containing all email metadata (subjects, senders, recipients, dates) for potentially hundreds of thousands of emails. This is an extremely sensitive data source.

HIGH Full email body reading via AppleScript -20

The 'fruitmail body ' command uses AppleScript to retrieve complete email body content, exposing potentially sensitive information (passwords, financial data, personal correspondence) to the agent's context window.

MEDIUM Global npm package installation required -20

The skill requires 'npm install -g apple-mail-search-cli' which installs a package from the npm registry with full system access. The npm package could contain preinstall/postinstall scripts not visible in this audit. The actual executable code is not reviewed here.

MEDIUM AppleScript execution vector -10

The 'body' and 'open' commands invoke AppleScript on macOS. While the intended use is reading email and opening Mail.app, AppleScript is a powerful automation framework that can perform arbitrary system actions.

MEDIUM High-value reconnaissance capability -50

An AI agent with email search capability could be manipulated (via prompt injection from other sources) to search for sensitive terms like 'password reset', 'bank statement', '2FA code', 'security question', or 'SSN' and expose results in the conversation context.

LOW Cross-skill chaining suggestion -5

The skill suggests using the 'himalaya' skill for sending emails. While benign in isolation, this creates an implicit read-then-send pipeline: search/read emails with this skill, then forward content via himalaya.

LOW Inconsistent naming between slug and skill name -5

The slug is 'apple-mail-search-safe' but the SKILL.md name is 'apple-mail-search'. The '-safe' suffix in the slug could be misleading, implying a security posture that isn't formally verified.

LOW Homepage URL mismatch -5

The homepage URL points to 'clawdhub.com' (note the 'd') while the registry is 'clawhub.ai'. This could be a typo or could point to a different/spoofed domain.

INFO Clean clone behavior -5

No suspicious activity detected during skill installation. Filesystem events are limited to standard system library loading.