quiet-mail
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: quietmail Version: 1.0.0 The skill bundle is classified as suspicious due to the presence of hardcoded credentials in test files. Specifically, `test_send_email_direct.py` and `test_testbot_smtp.py` contain hardcoded email addresses and their corresponding plaintext passwords for test accounts (`bob@quiet-mail.com`, `test-bot@quiet-mail.com`). Additionally, `tests/phase2_test.py` contains hardcoded PostgreSQL database credentials (`quietmail:quietmail`) and logic to retrieve API keys directly from the database. While these are test files and not part of the core skill execution for an AI agent, their inclusion in the bundle represents a significant security vulnerability if the service were deployed using these files, potentially exposing sensitive internal credentials. The `SKILL.md` and `API.md` files do not contain any evidence of prompt injection or malicious instructions to the AI agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the skill package may be able to authenticate as that mailbox and send mail under that identity if the credential is still valid.
A packaged test script contains a specific SMTP username and password for an existing mailbox rather than using an environment variable or mock secret.
username="bob@quiet-mail.com", password="TG4IqhvLyXXO..."
Remove the credential from the package, rotate the mailbox password immediately, and require all tests to read secrets from local environment variables or a secret manager.
This exposes mailbox-level authority beyond what a normal user should receive from an email-sending skill.
A second packaged test script includes another concrete SMTP account password for quiet-mail infrastructure.
username="test-bot@quiet-mail.com", password="LxTWbNgAHxY9..."
Remove and rotate this credential as well, and add secret scanning to prevent live credentials from being published.
An autonomous agent could send unwanted, mistaken, or abusive email at scale, creating recipient harm and reputational or policy risk for the user and service.
The documented workflow lets an agent create an email identity without prior authentication and use it for broadly unlimited outbound email.
"Simple, unlimited email for AI agents. No verification required"; "Create Agent" / "No authentication required"; "No daily sending limit"
Require explicit user approval before each send or campaign, document acceptable-use limits, implement enforceable rate limits, and scope allowed recipients/use cases.
Inbox messages may contain secrets, verification links, or malicious instructions that an AI agent could over-trust if treated as authoritative context.
The backend can retrieve full mailbox contents and return email bodies to the agent.
await imap.login(current_agent.email, current_agent.mailbox_password) ... bodyText=body_text, bodyHtml=body_html if body_html else None
Protect the quiet-mail API key like full mailbox access, avoid exposing sensitive inboxes, and instruct agents to treat email content as untrusted data rather than commands.
Users have less registry-level provenance information for deciding whether to trust the external email service.
The registry metadata does not provide a source or homepage even though the skill directs agents to a hosted external email API.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the service operator and domain independently before using it, and prefer a registry entry with a declared source and homepage.