Is agentlens safe?

https://clawhub.ai/nguyenphutrong/agentlens

62
CAUTION

This skill is published under the misleading slug 'agentlens' but actually contains 'clippy', a full Microsoft 365 CLI that gives the agent capabilities to read/send/forward emails, manage calendars, attach local files to outbound messages, and search the corporate directory. While the installation itself is clean (no malicious code ships in the package), the skill's instructions direct the agent to clone and execute code from an external GitHub repository, and the email capabilities create significant data exfiltration vectors — particularly email forwarding and file attachment to arbitrary recipients.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (10)

HIGH Email forwarding enables data exfiltration -25

The skill provides 'clippy mail --forward' which allows the agent to forward any email in the user's inbox to an arbitrary external address. Combined with 'clippy mail --search', an attacker could instruct the agent to search for sensitive emails (invoices, credentials, contracts) and forward them externally.

HIGH File attachment exfiltration via email -20

The send command with --attach allows attaching arbitrary local files to outbound emails. An agent could be instructed to email sensitive files (.env, SSH keys, database dumps) to an attacker-controlled address.

HIGH Remote code execution via git clone + bun install -35

The installation instructions direct the agent to clone an external GitHub repository and run 'bun install', which will execute any preinstall/postinstall scripts defined in that repository's package.json. This is a supply chain attack vector — the remote repo could contain malicious install hooks.

MEDIUM Persistent daemon via keepalive service -15

The skill instructs setting up a persistent background process via launchd (macOS) or systemd (Linux) that maintains an authenticated browser session. This creates a long-lived process with access to the user's M365 credentials that survives reboots.

MEDIUM Slug/content mismatch — skill installed as 'agentlens' but contains 'clippy' -20

The skill was installed from the 'agentlens' slug on clawhub but the actual SKILL.md is for a completely different tool called 'clippy' (Microsoft 365 CLI). This mismatch could be used to disguise a skill's true capabilities — a user installing 'agentlens' (suggesting a benign lens/viewer tool) would not expect to get a full M365 email and calendar management tool.

MEDIUM Indirect prompt injection via email content -15

When the agent reads emails (clippy mail -r), the email body content enters the agent's context. A malicious email could contain prompt injection instructions that manipulate the agent into forwarding emails, sending messages, or performing other actions using the skill's capabilities.

MEDIUM Corporate directory exposure -10

The people and room search functionality exposes organizational directory information, which could be used for social engineering or to map an organization's structure.

LOW Broad agent activation scope -10

The skill description triggers on any mention of calendar, email, or people search, giving it a wide activation surface. This means the skill's powerful capabilities (sending email, forwarding, attaching files) could be invoked in many conversational contexts.

INFO Clean installation behavior 0

No network connections, process spawning, or filesystem changes were detected during the skill installation. The skill itself is inert — the risk comes from the instructions it gives to the agent.

INFO Canary files untouched 0

All honeypot files remained intact, indicating no automated credential harvesting during installation.