v1.5.3

Bee Push Email

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:03 AM.

Analysis

This appears to be a real email-notification skill, but it installs a persistent system service and handles powerful email, Telegram, and OpenClaw credentials in ways users should review carefully.

GuidanceTreat this as a powerful system integration, not a simple notification add-on. Before installing, confirm you trust the publisher, pin or manually install Himalaya, use an app-specific email password, verify where the OpenClaw token is stored, set an explicit notification channel/target, and keep auto-reply disabled or approval-based.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

scripts/setup.py

url = f'https://github.com/pimalaya/himalaya/releases/latest/download/himalaya-{arch_suffix}.tar.gz'; run(f'curl -sSfL {url} | tar -xz -C /usr/local/bin/ himalaya', check=False)

The installer downloads the latest Himalaya release and extracts it into a system binary path without a pinned version or checksum.

User impactThe system will trust and install a remote binary as part of setup; a compromised release, network path, or unexpected latest version could affect the host.

RecommendationUse a pinned version and verify a checksum or signature before installing, or require the user to install Himalaya separately through a trusted package channel.

Tool Misuse and Exploitation

SeverityMediumConfidenceMediumStatusConcern

README.md

Your OpenClaw agent reads, analyzes, and decides what to do: notify you, move spam, flag important emails, or stay silent.

The documented behavior includes autonomous email-account changes, not only passive notification.

User impactThe agent may be empowered to change mailbox state or reply to senders if configured, which can affect business or personal communications.

RecommendationKeep auto-reply disabled or set to ask, and require explicit user approval before moving, flagging, deleting, or replying to emails.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

This skill installs a persistent background service (`Restart=always`, starts on boot). It maintains a continuous IMAP connection.

The persistent service is clearly disclosed and purpose-aligned, but users should notice that it continues running after installation.

User impactThe skill will keep monitoring email in the background until stopped or uninstalled.

RecommendationInstall only on a host where continuous email monitoring is intended, and verify that uninstall or systemctl stop removes or disables the service when no longer needed.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

metadata

Primary credential: none; Required config paths: none; No install spec — this is an instruction-only skill.

The registry-level metadata under-declares the actual credential use and full-system installation shown in SKILL.md and the scripts. The body documentation is more transparent, so this is a disclosure note rather than a standalone malicious signal.

User impactA user relying only on registry metadata may underestimate the installation and credential scope.

RecommendationRead the full SKILL.md and scripts before installing; the publisher should align registry metadata with the real install and credential requirements.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/setup.py

if 'openclaw_token' not in config: token, source = read_openclaw_gateway_token(); config['openclaw_token'] = token ... json.dump(config, f, indent=2); os.chmod(CONFIG_PATH, 0o600)

The installer reads a local OpenClaw gateway token and persists it into the watcher config. That is powerful delegated agent access, not just an email password.

User impactA persistent service will hold a token that can authenticate to OpenClaw agent delivery; if the service account or config file is exposed, the token could be misused.

RecommendationInstall only if you are comfortable granting this service OpenClaw delivery authority. The publisher should clearly disclose the OpenClaw token in the main credential contract and support a narrow, service-specific, revocable token.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

scripts/imap_watcher.py

# Fallback: any UUID found ... log.info(f"Using fallback session: {match.group(1)}"); return _cache_and_return({'session_id': match.group(1)})

If the preferred direct session is not found, the watcher falls back to any session UUID it sees before delivering notifications.

User impactEmail notifications or security alerts could be delivered to the wrong OpenClaw session if session detection is ambiguous.

RecommendationConfigure an explicit channel and target/session for notifications, and prefer a fail-closed design that does not send email-derived content to a fallback session.