Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
eMail manager lite
v1.0.1Lightweight email manager with IMAP/SMTP support, advanced search, folder management, and attachment detection. Works with Zoho, Gmail, Outlook, and any IMAP/SMTP provider.
⭐ 2· 2.6k·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description match the code (IMAP/SMTP operations, search, move, attachments). However, registry metadata declares no required environment variables or primary credential, while the runtime instructions and code clearly require EMAIL_USER and EMAIL_PASS. That metadata mismatch is incoherent and could mislead users about what secrets are needed.
Instruction Scope
SKILL.md and README scope align with email functionality and the included CLI script; they instruct to run npm install and set EMAIL_USER/EMAIL_PASS. However, SKILL.md contains contradictory statements (claims 'zero external dependencies' yet lists npm dependencies), and the runtime code sets imapConfig.tlsOptions.rejectUnauthorized = false which disables certificate verification — a security-reducing behavior not documented or justified in the docs.
Install Mechanism
There is no install spec in registry (instruction-only), but package.json and SKILL.md instruct users to run 'npm install' to fetch standard packages (nodemailer, imap-simple, mailparser). These dependencies are appropriate for the stated purpose; installing via npm is expected but does pull third-party packages, so users should run 'npm audit' and inspect dependency tree.
Credentials
The code legitimately needs two environment variables (EMAIL_USER and EMAIL_PASS) to talk to IMAP/SMTP. That credential request is proportionate to the purpose. The problem is the skill manifest/registry metadata does not declare these required env vars or a primary credential, which is misleading. Also the skill recommends app passwords (good), but the code uses process.env directly and exits if credentials are missing.
Persistence & Privilege
The skill does not request permanent/always-on inclusion and does not alter other skills or system-wide configs. It runs as a CLI-style script and requires explicit invocation; autonomous invocation is allowed by default on the platform but is not combined with other high privileges here.
What to consider before installing
What to check before installing/use:
- Metadata mismatch: the registry lists no required env vars but the tool needs EMAIL_USER and EMAIL_PASS. Treat this as a red flag and prefer skills whose manifest accurately lists required credentials.
- TLS/mitm risk: the code disables certificate validation (tlsOptions.rejectUnauthorized = false) for IMAP. Edit scripts/email.js to remove or set this to true, and only use the skill with trusted networks until fixed.
- Credentials: use provider 'App Passwords' as recommended (not your main account password). Consider using short-lived credentials or tokens where possible.
- Dependency hygiene: the package uses common email libs (nodemailer, imap-simple, mailparser). Run 'npm install' in an isolated environment, run 'npm audit', and inspect installed packages before running.
- Source trust: owner and homepage are unknown. If you don't trust the author, review the full scripts/email.js source (it is included) or run in a sandboxed container.
If the author updates the registry metadata to declare EMAIL_USER/EMAIL_PASS and either removes or documents why rejectUnauthorized was disabled, and you or a reviewer confirm dependencies, this would raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk977pt31qxnzz3k5r8wzq0fj1d80c4kj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.