Smart Email
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a real email assistant, but it asks for sensitive mailbox/API access, stores and forwards email data, and has unclear install provenance that should be reviewed before use.
Review carefully before installing. Verify the repository source, use dedicated mailbox app passwords and limited API keys, understand that email content may be archived locally and sent to an AI provider, run the test commands before enabling cron, and remove cron jobs/credentials when you stop using the skill.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Configuring the skill gives it access to read configured mailboxes and use the configured AI and delivery services.
The skill requires mailbox authorization codes, AI API keys, and delivery-channel targets, while the registry metadata says there are no required env vars or primary credential. That under-declares high-impact account access.
SMART_EMAIL_QQ_AUTH_CODE=xxx ... SMART_EMAIL_OPENAI_API_KEY=xxx ... SMART_EMAIL_ANTHROPIC_API_KEY=xxx ... SMART_EMAIL_DELIVERY_TARGET=@username
Use dedicated app passwords and limited-scope API keys, keep ~/.openclaw/.env private, revoke credentials if uninstalling, and require the skill metadata to declare these credentials.
A user or agent following the install instructions could fetch code from a different or unverified repository than the reviewed artifact set.
The install documentation references different GitHub repositories and installs dependencies from requirements.txt, while the registry source is unknown and no formal install spec is provided.
请帮我安装 Smart Email(https://github.com/bu-bu-xxx/smart-email)... git clone https://github.com/openclaw/smart-email.git ... pip install -r requirements.txt
Install only from a verified repository and pinned commit/version, align all homepage/source URLs, and prefer a declared install spec with pinned dependencies.
Private email content may be transmitted to the configured OpenAI-compatible, Anthropic, or subagent analysis provider.
Email sender, subject, and body content are sent to a configured AI provider for urgency analysis; the code also supports base64-encoded inline images for multimodal analysis.
邮件信息:\n发件人: {sender}\n主题: {subject}\n正文: {body} ... self.client.chat.completions.create(...)Use only trusted AI endpoints, avoid connecting highly sensitive mailboxes, disable multimodal analysis unless needed, and make this data flow explicit to users.
Sensitive email content and attachments remain on disk and can be reused for later queries or exposed if local files are not protected.
The skill persistently stores original emails, Markdown versions, attachments, logs, outbox messages, and a tracking database under the OpenClaw workspace.
本地归档 | 保存原始 .eml、Markdown 和附件 ... ~/.openclaw/workspace/smart-email-data/
Protect the data directory, review retention needs, use the clean commands carefully, and document exactly what is stored and for how long.
After setup, the skill can continue processing and sending email-derived notifications without a fresh prompt each time.
The skill creates scheduled background jobs that repeatedly check mail, generate summaries, and dispatch messages. This is disclosed and purpose-aligned, but it is persistent automation.
python3 -m smart_email setup-cron --apply ... smart-email-check: 每30分钟检查新邮件 ... smart-email-dispatch: 每5分钟将 outbox 消息发送到用户渠道
Run tests before enabling cron, verify jobs with openclaw cron list, and remove the jobs when you no longer want automatic processing.
A crafted email could cause false urgent alerts, misleading summaries, or noisy notifications.
Untrusted email body text is inserted into the LLM prompt that decides urgency and summary output. Malicious email content could try to influence the model's JSON decision.
正文: {body} ... 务必只输出合法的纯 JSON 字符串Treat email content as untrusted data, delimit it clearly, validate model output with a schema, and avoid letting model output trigger higher-impact actions without checks.