Email Sender
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Emails may be sent from a bundled Gmail account that the user does not control, and the exposed app password could be abused by anyone with access to the skill package.
The skill embeds a Gmail account and app password in source code and logs in with them, while the metadata does not declare a required credential or user-controlled credential setup.
SENDER_EMAIL = "elodyzen@gmail.com" ... SENDER_PASSWORD = "trmil...giqq" ... server.login(SENDER_EMAIL, SENDER_PASSWORD)
Remove the hardcoded credential, rotate the exposed Gmail app password, require each user to provide their own credential through a secret manager or environment variable, and declare that credential in the skill metadata.
A mistaken or unintended invocation could send an email or attach the wrong local file to an external recipient.
The tool is designed to send email to user-specified recipients and can attach a file from an absolute local path. This is purpose-aligned, but it is an externally visible action involving local files.
"to": { "type": "string", "description": "Recipient email address" } ... "attachment_path": { "type": "string", "description": "Absolute path to file to attach (optional)" }Require clear user confirmation of the recipient, subject, body, and attachment path before sending, and consider path, file type, and size checks for attachments.