ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skulk Email

v1.0.2

Email via DreamHost — read inbox, send email, search messages. Send works from any VPS (including DigitalOcean) by routing through DreamHost's Roundcube webm...

0· 243·0 current·0 all-time
byAda Vale@adainthelab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (DreamHost Roundcube send + IMAP read) align with the script's actions: it reads a local credentials JSON, uses imaplib for IMAP access (imap.dreamhost.com / optionally imap.gmail.com) and uses curl to log in and send via webmail.dreamhost.com. Required binaries (python3, curl, jq) are reasonable and documented.
Instruction Scope
SKILL.md instructs the user to store credentials in ~/.config/skulk-email/credentials.json and run the provided script. The script only reads that file, contacts the documented DreamHost/Gmail endpoints, and writes temporary cookies to /tmp; it does not attempt to read other system files or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only plus an included script), so nothing is downloaded or installed by the skill itself. This minimizes install-time risk. The runtime dependencies are standard, documented binaries.
Credentials
No environment variables, no external API keys, and no unrelated credentials are requested. The only secret required is the mailbox password (DreamHost, and optionally a Gmail app password), stored in the explicitly-documented local JSON file. That storage method and permissions are described in SKILL.md.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide changes or modify other skills. It runs on-demand and performs its actions only when invoked.
Assessment
This skill is consistent with its description, but keep these practical safety points in mind: - The script requires storing your mailbox password in plaintext in ~/.config/skulk-email/credentials.json. Ensure the directory (700) and file (600) permissions are applied and only use on machines you trust. Consider using an account with limited privileges or an app-specific password where supported. - The send flow automates a webmail login and scrapes tokens; it stores cookies in /tmp and attempts to clean them up on exit, but if the process is killed (SIGKILL) cookies may remain temporarily. Don’t run on multi-user systems where /tmp is shared without appropriate protections. - Webmail automation can be brittle (changes to the Roundcube UI could break it) and may run afoul of provider rate limits or terms of service if abused; avoid bulk sending and respect DreamHost/Gmail policies. - If you need stronger security, consider using an OAuth/app-password approach for Gmail and avoid storing long-lived plaintext passwords. - If you want additional assurance, review the script yourself or run it in a sandbox/VPS you control before linking any production mailbox.

Like a lobster shell, security has layers — review code before you run it.

dreamhostvk979yj8s560m8p74qgvzpdyzv982pv23emailvk979yj8s560m8p74qgvzpdyzv982pv23latestvk97e3dnce8qbv3s4ky5cgvecc182pg5svpsvk979yj8s560m8p74qgvzpdyzv982pv23

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments