Skillv1.0.0

ClawScan security

email-reporter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 10, 2026, 2:01 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (convert Markdown to PDF and send email) but has implementation issues that could enable unintended file exfiltration and a command-injection risk; some declared requirements are inconsistent with the code.
Guidance: This skill generally implements an email-sender that converts Markdown to PDF and sends attachments, but review before installing: - Security issues to consider: - send_attachment.py uses subprocess.run(..., shell=True) when invoking msmtp with a command string that includes recipient input. If an attacker can control the recipient value, this can lead to shell injection. Recommend patching to avoid shell=True and use a list-argument invocation. - The tool will attach and send arbitrary files you point it at (including sensitive files). Only run it in contexts where attachments are safe to send, and do not point it at system or secret files. - It writes a predictable temporary file (/tmp/email_reporter_msg.eml) when using msmtp, which can cause race conditions or leaking if /tmp is shared—use a secure unique temp file. - The skill requires sensitive SMTP credentials (EMAIL_SMTP_PASS). The registry metadata omitted required env vars — treat that as an information gap and supply credentials via a secure secret store, not plaintext where possible. - Operational recommendations: - If you plan to use msmtp backend, update send_via_msmtp to avoid shell=True and to create a unique temp file (e.g., tempfile.NamedTemporaryFile) and pass arguments as a list. - Limit the agent's filesystem access (or which reports are passed) so it cannot be used to exfiltrate arbitrary files. - Verify the pip/system dependencies (markdown, weasyprint, pango libs) in a safe environment before using the skill in production. Given these implementation issues (command execution with shell=True, omission of declared env requirements, and attachment-of-arbitrary-files behavior), proceed only after reviewing or patching the code and restricting where the skill runs.

Review Dimensions

Purpose & Capability: noteThe code matches the stated purpose: converting Markdown to PDF and emailing attachments via SMTP/msmtp. However the registry metadata lists no required environment variables while the code expects EMAIL_SMTP_PASS, EMAIL_SENDER, EMAIL_RECIPIENT, etc. That mismatch is a configuration/information inconsistency.
Instruction Scope: noteSKILL.md instructs agents to run the Python scripts directly (subprocess usage example). The scripts read arbitrary report paths and will attach arbitrary files present on disk (expected for an email tool), which means the skill can send any local file the agent is asked to attach. The runtime instructions do not explicitly warn about this risk.
Install Mechanism: okNo install spec is provided (instruction-only at registry level). SKILL.md lists pip dependencies (markdown, weasyprint) and system libs for PDF rendering — those are reasonable for the stated functionality and the code imports them.
Credentials: concernThe code requires SMTP credentials and sender/recipient configuration to operate, but the skill metadata did not mark any required env vars. Requiring an SMTP password (EMAIL_SMTP_PASS) is expected for sending email, but this sensitive credential is not declared in the registry metadata. The skill passes credentials via environment to subprocesses and will send any file the agent provides as an attachment (potential for exfiltration).
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide privileges. It does write a config file to the user's home (~/.email_reporter.conf) if the setup wizard is used; otherwise it uses environment variables. No modifications to other skills or system-wide settings are present.