send-email
ReviewAudited by ClawScan on May 10, 2026.
Overview
The main email-sending script is purpose-aligned, but an included shell helper contradicts the docs by using local msmtp/.msmtprc mail account settings.
Review before installing. The Python SMTP sender appears straightforward, but the package should be cleaned up or clarified so the agent cannot accidentally use the included msmtp/.msmtprc shell path. Use an email app password or auth code, and verify every recipient and attachment before sending.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this alternate helper is invoked, the agent could send email using local mail account settings outside the advertised SMTP-environment configuration.
This included helper can use msmtp/mutt and ~/.msmtprc/default mail accounts, while the documented skill says credentials should come from OpenClaw env injection and says not to use ~/.msmtprc.
ACCOUNT="${5:-default}" ... mutt -s "$SUBJECT" -a "$ATTACHMENT" -- "$TO" < "$TMP_MAIL" -F ~/.msmtprc ... msmtp "$TO" < "$TMP_MAIL"Remove the shell helper or update the skill metadata and documentation to clearly declare msmtp/mutt usage, which account configuration is used, and when the helper may be invoked.
Mistyped recipients or attachment paths could send information to the wrong person.
The skill exposes a command that sends email and can attach a user-specified local file. This is central to the stated purpose, but it is an external action that can disclose the attachment to the recipient.
python3 ~/.openclaw/workspace/skills/send-email/send_email.py "recipient" "Subject" "Body" "/path/to/file.pdf"
Confirm recipient addresses and attachment paths before sending, especially for private or business-sensitive files.