cma-email

clawhub:cma-email

View source

67/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

67/100

CRITICAL 1

MEDIUM 1

Findings (2)

CRITICAL

Fake system prompt PROMPT_INJECTION_010

prompt-injection L13

Detects content pretending to be a system prompt

SYSTEM INSTRUCTION:

FIX

Remove encoded or obfuscated directives (base64, ROT13, unicode escapes, hex-encoded text). All text should be in plaintext and human-readable.

FP?

Likely FP if the encoded content is legitimate data (e.g., a base64-encoded image, a hex-encoded binary hash) rather than concealed directives.

MEDIUM

Unrestricted email or messaging access EXFIL_012

exfiltration L47

Detects CLI tools granting unrestricted send/read access to email or messaging

gmail send --to

FIX

Restrict email and messaging API access to user-initiated actions. Prevent automated sending that could exfiltrate data via email body or attachments.

FP?

Likely FP if the skill is an email client or messaging tool whose documented purpose is to send messages on behalf of the user.