ClawHub
Back to skill
v1.3.0

one-mail

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:36 AM.

Analysis

This mail skill is coherent, but it needs review because it handles powerful mailbox credentials and contains unsafe command/code construction that could run unintended commands from crafted inputs.

GuidanceOnly install after reviewing the code and being comfortable granting email read/send permissions. Prefer a patched version that removes eval/generated-code interpolation, avoids exporting credentials, declares its credential requirements, and requires confirmation before sending mail or attachments.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityHighConfidenceHighStatusConcern
scripts/lib/gmail.sh
local raw_emails=$(eval "$gog_cmd") ... echo "$body" | eval "$gog_cmd"

The script builds gog_cmd from values such as query, recipient, subject, attachment path, and reply target, then executes it through eval.

User impactA crafted search term, email address, subject, or attachment path could escape quoting and run shell commands as the user when Gmail operations are used.
RecommendationRemove eval and invoke gog with argument arrays so user-provided values are passed as data, not shell code.
Unexpected Code Execution
SeverityHighConfidenceHighStatusConcern
scripts/lib/163.sh
python3 - <<EOF ... msg['Subject'] = '$subject' ... msg.attach(MIMEText('''$body''', 'plain', 'utf-8')) ... with open('$attach', 'rb')

User/account values are interpolated directly into generated Python source without escaping or structured serialization.

User impactA crafted subject, body, address, credential, or attachment path could break out of the Python string literals and execute unintended Python code or alter the message being sent.
RecommendationUse a standalone Python script that accepts JSON, argv, or stdin data, and serialize values safely instead of templating them into code.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
bash scripts/send.sh --to "recipient@example.com" --subject "Hello" --body "Email content" ... --attach "/path/to/file.pdf"

Outbound mail with optional local-file attachments is a core, disclosed feature, but the artifacts do not show an explicit confirmation or dry-run requirement before sending.

User impactIf invoked on an ambiguous or mistaken instruction, the agent could send email or attachments from a configured account.
RecommendationRequire explicit user confirmation of recipient, subject, body, sending account, and attachments before sending.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
scripts/lib/common.sh
CREDS=$(cat "$CREDS_FILE")
    export CREDS

The full credentials file is loaded and exported, so child tools launched by the scripts inherit all stored mailbox secrets.

User impactOAuth refresh tokens, client secrets, and app passwords may be exposed more broadly than necessary to subprocesses such as gog, curl, jq, and python3.
RecommendationDo not export the whole credential store; load only the needed account secret in local scope and prefer OS keychain or another scoped secret store.
Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Outlook | OAuth 2.0 (Graph API) | 需要 Mail.ReadWrite + Mail.Send 权限 ... 网易 163 ... 需要开启 IMAP 并使用应用密码

The skill asks for mailbox-wide OAuth permissions and app passwords, while the registry metadata declares no primary credential or required config path.

User impactInstalling and configuring the skill can grant broad ability to read, write, and send mail from the user's accounts.
RecommendationDeclare the credential/config requirements clearly, use least-privilege scopes such as read plus send where possible, and have users review provider permissions before authorizing.