Email Sender
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its email-sending purpose, but it ships a hardcoded Gmail address and app password and can email local file attachments, so it needs review before use.
Do not install or use this version with the bundled Gmail credential. Ask the publisher to remove and rotate the exposed app password and to support per-user, declared credential configuration with confirmation before sending emails or attachments.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Emails may be sent from a bundled Gmail account that the user does not control, and the exposed app password could be abused by anyone with access to the skill package.
The skill embeds a Gmail account and app password in source code and logs in with them, while the metadata does not declare a required credential or user-controlled credential setup.
SENDER_EMAIL = "elodyzen@gmail.com" ... SENDER_PASSWORD = "trmil...giqq" ... server.login(SENDER_EMAIL, SENDER_PASSWORD)
Remove the hardcoded credential, rotate the exposed Gmail app password, require each user to provide their own credential through a secret manager or environment variable, and declare that credential in the skill metadata.
A mistaken or unintended invocation could send an email or attach the wrong local file to an external recipient.
The tool is designed to send email to user-specified recipients and can attach a file from an absolute local path. This is purpose-aligned, but it is an externally visible action involving local files.
"to": { "type": "string", "description": "Recipient email address" } ... "attachment_path": { "type": "string", "description": "Absolute path to file to attach (optional)" }Require clear user confirmation of the recipient, subject, body, and attachment path before sending, and consider path, file type, and size checks for attachments.