Mail Sender SMTP
PassAudited by ClawScan on May 10, 2026.
Overview
The skill does what it claims—send user-specified email through SMTP—but it needs SMTP credentials and can send mail from that account.
This appears safe for its stated purpose if you trust it to send email. Configure SMTP with an app-specific password, prefer environment variables over typing secrets into chat, and require confirmation of the recipient and message content before sending.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If SMTP credentials are configured, the agent can send email as that account to the specified recipient.
The script logs in to an SMTP account and sends a message. This is expected for an SMTP sender skill, but it delegates use of the user's email identity.
smtp.login(smtp_user, smtp_pass)
smtp.send_message(msg)Use an app-specific or scoped SMTP password, avoid providing primary account passwords in chat, and review the recipient, subject, and body before sending.
A mistaken recipient, subject, or body could send an unintended email from the configured account.
The documented workflow performs an outbound email send using user-provided fields. This matches the skill purpose but can have external consequences if used with the wrong details.
python3 skills/public/mail-sender/scripts/send.py \ --to-email "recipient@example.com" \ --subject "Hello from OpenClaw" \ --body "This is a test email sent via the mail-sender skill."
Have the agent draft the email first and confirm the final recipient and content before invoking the sender.