send-email
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: send-email Version: 1.0.1 The skill is classified as benign. The primary script, `send_email.py`, securely retrieves all necessary SMTP credentials exclusively from environment variables, as instructed by `SKILL.md` and `README.md`. These markdown files also explicitly instruct the OpenClaw agent *not* to read sensitive configuration files like `~/.openclaw/openclaw.json` or `~/.msmtprc`, which is a strong defensive measure against prompt injection and credential exposure. While a `send_email.sh` script exists that relies on `msmtp` and potentially `~/.msmtprc`, the agent instructions clearly direct it to use `send_email.py`, making the shell script an unused or alternative implementation within the agent's workflow. There is no evidence of data exfiltration, malicious execution, persistence, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this alternate helper is invoked, the agent could send email using local mail account settings outside the advertised SMTP-environment configuration.
This included helper can use msmtp/mutt and ~/.msmtprc/default mail accounts, while the documented skill says credentials should come from OpenClaw env injection and says not to use ~/.msmtprc.
ACCOUNT="${5:-default}" ... mutt -s "$SUBJECT" -a "$ATTACHMENT" -- "$TO" < "$TMP_MAIL" -F ~/.msmtprc ... msmtp "$TO" < "$TMP_MAIL"Remove the shell helper or update the skill metadata and documentation to clearly declare msmtp/mutt usage, which account configuration is used, and when the helper may be invoked.
Mistyped recipients or attachment paths could send information to the wrong person.
The skill exposes a command that sends email and can attach a user-specified local file. This is central to the stated purpose, but it is an external action that can disclose the attachment to the recipient.
python3 ~/.openclaw/workspace/skills/send-email/send_email.py "recipient" "Subject" "Body" "/path/to/file.pdf"
Confirm recipient addresses and attachment paths before sending, especially for private or business-sensitive files.