X To Kindle
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for sending selected X/Twitter content or local documents to a Kindle, but it requires careful handling of an email app password.
This skill is reasonable to use if you want tweet content emailed to Kindle, but configure it carefully: use a dedicated app password, store secrets in environment variables or a secret manager rather than TOOLS.md, and confirm the file or tweet content before sending.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong path is supplied, a local file could be emailed to the Kindle account unintentionally.
The helper reads whatever local file path it is given and emails it as an attachment to the configured Kindle address.
file_path = sys.argv[1] ... with open(file_path, "rb") as f: ... server.sendmail(SMTP_EMAIL, to_email, text)
Only run the helper on files the user explicitly selected or that the skill just generated for Kindle delivery.
Anyone with access to that app password may be able to send email through the configured account.
The skill needs an SMTP app password so it can authenticate to an email account and send the Kindle delivery email.
- `SMTP_PASSWORD`: Your app password
Use an app-specific password, keep it in protected environment/secret configuration, and rotate or revoke it if it may have been exposed.
A plaintext password stored in a shared or agent-readable file could be exposed to future sessions or other tooling.
The instructions suggest placing a sensitive email app password in a persistent markdown/config context.
Store in TOOLS.md: ... App Password: xxxx xxxx xxxx xxxx
Do not store the app password in TOOLS.md unless that file is protected; prefer environment variables or a dedicated secret manager.
The external API and email/Kindle services may receive the tweet identifier and generated document content.
The workflow sends the tweet ID/link to an external fxtwitter API before emailing the resulting document through SMTP/Kindle.
Extract content via fxtwitter API: https://api.fxtwitter.com/status/<tweet_id>
Use the skill only for links and content the user is comfortable sending through those services.