ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gomail

v0.1.0

Send emails via the gomail sender CLI with attachments, templates, and recipient management. Use when sending or testing email delivery from OpenClaw.

0· 209·0 current·0 all-time
byJia@craftslab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: the skill wraps the gomail 'sender' CLI to send mail, attachments, and validate recipients. Requiring a sender binary and a config file with SMTP settings is coherent with this purpose.
Instruction Scope
The SKILL.md explicitly instructs the agent/operator to download a prebuilt binary (via GitHub release redirect), extract it, mark it executable, and optionally place it on PATH. It also instructs use of a local JSON config containing SMTP credentials and resolves attachments relative to the working directory (which implies the agent or invoker may read local files). These actions are within the declared goal (sending mail) but broaden the attack surface (remote binary execution, local file access for attachments/config).
!
Install Mechanism
There is no formal install spec, but the SKILL.md instructs downloading and extracting a tarball from a GitHub releases 'latest' redirect and running the contained binary. Downloading and executing remote binaries (even from GitHub releases) without pinning a version, checksum, or signature is a higher-risk pattern and should be treated cautiously.
Credentials
The skill declares no required env vars, and instead relies on a local JSON config file for SMTP credentials. That is proportionate to sending email, but the skill does not declare or protect those secrets and may cause credentials or local files (attachments) to be transmitted over SMTP. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request permanent 'always' presence and does not declare changes to other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other high-privilege requests.
What to consider before installing
Before installing or running this skill: 1) Treat the SKILL.md download step as installing arbitrary native code — prefer to manually download, verify, and pin a specific release (and check checksums/signatures) rather than following an automated 'latest' redirect. 2) Review the upstream project (craftslab/gomail) and its releases to ensure trustworthiness. 3) Avoid placing high-privilege credentials in repository files; use a secrets manager or ephemeral/test SMTP credentials. 4) When testing, use --dry-run and restrict attachments to non-sensitive test files; consider running the binary in an isolated/test environment or container. 5) If you cannot verify the binary or prefer lower risk, consider integrating with a known SMTP client library or a well-reviewed managed mail API instead of downloading and executing a remote binary.

Like a lobster shell, security has layers — review code before you run it.

latestvk975jqhhfvmm9j1wpx0r81fdv982mgd8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments