Skillv2.5.0

ClawScan security

Send Email Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 2, 2026, 3:35 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill implements a local SMTP mail-sending tool whose code, instructions, and file access are consistent with its description; it does not request unrelated cloud credentials or hidden network endpoints, but it does store credentials locally in a reversible form when keyring is unavailable and can read local files for attachments/images (which is expected but has security implications).
Guidance: This skill appears to do what it says (send SMTP email with templates, attachments, inline images). Before installing/using it, consider the following: 1) Prefer installing and using a real system keyring (pip install keyring) so credentials are not stored in the fallback base64 files; if keyring fallback files (~/.send_email_password, ~/.send_email_username) appear delete them and re-save credentials to keyring. 2) Treat the config file (~/.send_email_config.json) and any backup credential files as sensitive — ensure file permissions (0o600) and avoid using on multi-user/shared machines. 3) Test with a non-critical email account and use app-specific passwords (e.g., Gmail App Password) rather than your main account password. 4) Be aware the script will read any local paths you provide (attachments, inline images, template files); do not pass sensitive system files as attachments. 5) If you allow the agent to invoke the skill autonomously, remember that an attacker or misconfigured agent could craft messages that exfiltrate local files — restrict autonomous use or review invocation policies if necessary. 6) If you want stronger protection, review the send_email.py source before use and consider replacing the base64 fallback with proper encryption or forcing keyring-only storage.

Review Dimensions

Purpose & Capability: okName/description (send email via SMTP, HTML, attachments, inline images, templates) match the included script and instructions. No unrelated credentials or services are requested and required functionality (keyring, markdown conversion, template rendering, file attachments) is coherent with the stated purpose.
Instruction Scope: noteRuntime instructions tell the agent/user to run the included send_email.py script, configure SMTP, and manage credentials via keyring. The script and docs explicitly read local files for templates, attachments, and inline images and persist configuration to ~/.send_email_config.json — this is expected for an email tool but means the skill will access local file paths you supply. The fallback behavior (when keyring is not installed) stores credentials in base64-encoded files in the home directory; that's functionally coherent but weak from a security perspective and should be considered by the user.
Install Mechanism: okThere is no automated install spec; this is instruction + script. Dependencies are limited to optional Python packages (keyring, markdown) suggested via pip — no remote downloads or obscure installers are used in the package metadata.
Credentials: noteThe skill requests no environment variables or external API keys, which is proportionate. It does persist configuration and (optionally) credentials locally: preferred storage is the system keyring, but the fallback writes base64-encoded username/password files (~/.send_email_username, ~/.send_email_password) and a JSON config (~/.send_email_config.json). Those files are reversible and should be treated as sensitive; their presence is justified by the feature but carries additional risk.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills. It will create/update files under the user's home directory (config and backup credential files) which is normal for local CLI tools. Note: the skill can be invoked autonomously (disable-model-invocation is false by default) — combined with the ability to attach/inline arbitrary local files, that increases the impact if an agent were compromised, but this is not itself incoherent with the skill's purpose.