ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Email Sender

v1.0.2

Send emails with optional file attachments using a Gmail account via SMTP by specifying recipient, subject, body, and an optional attachment path.

0· 1.1k·33 current·33 all-time
by@elodyzen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (send email via Gmail SMTP) matches the code, but required credentials are not declared in metadata or SKILL.md; instead the sender email and an app password are hard-coded into script.py. A legitimate implementation would accept credentials via environment variables or an OAuth flow rather than embedding them in code.
!
Instruction Scope
SKILL.md and tools.json describe a send_email function that accepts an absolute attachment_path; script.py will open and attach any file at that path. That capability is consistent with 'attachments' but also allows reading arbitrary files on the host and transmitting them by email (sensitive system files, secrets, etc.). There is no validation, sandboxing, or explicit limitation on which paths are allowed.
Install Mechanism
No install spec or external downloads are present; the skill is instruction/code-only and doesn't write/install additional software. This lowers supply-chain risk compared with remote installers.
!
Credentials
No environment variables or credentials are declared, yet script.py contains a clear sender email and an app password (SENDER_EMAIL and SENDER_PASSWORD). This is disproportionate and risky: embedding credentials in code can enable the skill author (or anyone with the package) to send mail from that account and to exfiltrate files without the user's explicit credentialing.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system settings. However, because autonomous invocation is allowed by default, an agent could invoke this tool on its own — combined with the hard-coded credentials and unrestricted file reads, that increases the blast radius for accidental or malicious data exfiltration.
What to consider before installing
Do not install or run this skill as-is. It contains a hard-coded Gmail address and app password in script.py, which lets the package send mail from that account and makes it trivial to exfiltrate arbitrary files by supplying attachment_path. If you need this functionality, prefer a version that: (1) does not embed credentials — require the user to supply credentials via environment variables or an explicit OAuth/SMTP configuration; (2) enforces attachment path restrictions or confirms before attaching sensitive files; (3) logs and surfaces where emails are sent and by whom. If you already installed or ran it, consider rotating the exposed Gmail app password, auditing the account's sent mail and activity, and replacing the skill with a reviewed implementation that keeps credentials out of repository code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fzevwhrhnbkcqej6ny3w2d1816h3m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments