send-email
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this alternate helper is invoked, the agent could send email using local mail account settings outside the advertised SMTP-environment configuration.
This included helper can use msmtp/mutt and ~/.msmtprc/default mail accounts, while the documented skill says credentials should come from OpenClaw env injection and says not to use ~/.msmtprc.
ACCOUNT="${5:-default}" ... mutt -s "$SUBJECT" -a "$ATTACHMENT" -- "$TO" < "$TMP_MAIL" -F ~/.msmtprc ... msmtp "$TO" < "$TMP_MAIL"Remove the shell helper or update the skill metadata and documentation to clearly declare msmtp/mutt usage, which account configuration is used, and when the helper may be invoked.
Mistyped recipients or attachment paths could send information to the wrong person.
The skill exposes a command that sends email and can attach a user-specified local file. This is central to the stated purpose, but it is an external action that can disclose the attachment to the recipient.
python3 ~/.openclaw/workspace/skills/send-email/send_email.py "recipient" "Subject" "Body" "/path/to/file.pdf"
Confirm recipient addresses and attachment paths before sending, especially for private or business-sensitive files.