Back to skill
Skillv1.0.4
ClawScan security
Send transactional email via DmartechX/Iemail OpenAPI. Configure in OpenClaw skills env or use secret.md. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 1:23 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, required environment variables, and runtime instructions are coherent for sending transactional email via the Iemail API; nothing requests unrelated credentials or system-wide privileges.
- Guidance
- This skill appears to do what it claims: send transactional email through Iemail. Before installing, confirm you trust the Dmartech domain (iemail-api.dmartech.cn) and are comfortable storing the IEMAIL_ACCESS_KEY and IEMAIL_ACCESS_KEY_SECRET in your OpenClaw skill env. Note the Python script will auto-install requests/cryptography via pip at runtime — if you prefer stricter control, preinstall dependencies in a sandboxed environment. Also be aware that SKILL.md suggests reading your OpenClaw config file (~/.openclaw/openclaw.json) for credentials; limit what you store there to avoid exposing unrelated secrets.
Review Dimensions
- Purpose & Capability
- okName/description, required env vars (IEMAIL_ACCESS_KEY, IEMAIL_ACCESS_KEY_SECRET, IEMAIL_SENDER), and the included Python script all match the stated purpose of sending transactional email through Dmartech/Iemail OpenAPI. Requiring python3 is reasonable. The API endpoints used are under the expected dmartech domain.
- Instruction Scope
- noteSKILL.md tells the agent to read ~/.openclaw/openclaw.json or workspace config files for credentials. The included send_email.py itself reads only environment variables (os.getenv). Asking the agent to read OpenClaw config files is expected for this platform, but it could expose other skill configuration values if the agent actually reads the full file — this is a scope note rather than a mismatch with purpose.
- Install Mechanism
- noteThe bundle has no declared install spec, but send_email.py will auto-install missing Python packages at runtime using pip (requests and, if needed, cryptography). This is not an external binary download, but runtime pip installs are a moderate operational risk (modifies environment, pulls from PyPI).
- Credentials
- okThe skill only requires three environment values specific to the email service (access key, secret, sender) plus an optional IEMAIL_TO. There are no unrelated credentials or broad filesystem/config path access requested.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and is user-invocable. It runs only when invoked and doesn't demand persistent system privileges.