ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Email Sender

Email sending skill via SMTP or API providers. Supports attachments, HTML templates, and batch sending.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 47 · 0 current installs · 0 all-time installs
by@jpengcheng523-netizen
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and SKILL.md describe sending email via SMTP or API providers (SendGrid, Resend) and list the expected environment variables for SMTP and API keys — these credentials are appropriate for the stated purpose. However, the registry metadata declares no required environment variables or primary credential, and the skill has no source/homepage; that mismatch between claimed behavior and declared requirements reduces trust.
!
Instruction Scope
The SKILL.md instructs running 'python3 scripts/send_email.py' with options and referencing attachments and batch CSVs, but the skill bundle contains no code or scripts. That means the instructions assume external files or tooling exist on the host; an agent following them could attempt to run arbitrary local scripts or access arbitrary file paths (attachments, recipients.csv). While reading attachments/CSV is functionally necessary, the missing implementation and broad file access are a scope/integrity concern.
Install Mechanism
This is instruction-only with no install spec and no code to write to disk — lowest install risk. The downside: there's no packaged, auditable implementation included, so behavior depends entirely on external scripts or environment.
!
Credentials
The SKILL.md lists sensitive environment variables (EMAIL_SMTP_USER, EMAIL_SMTP_PASS, EMAIL_SENDGRID_API_KEY, EMAIL_RESEND_API_KEY) which are reasonable for an email sender, but the registry metadata declares no required env vars or primary credential. That inconsistency is important: the skill asks for secrets but does not formally declare them, which makes it easy to mistakenly expose credentials without clear governance.
Persistence & Privilege
The skill does not request persistent inclusion (always:false) and does not declare any system-wide config changes or privileged persistence. No additional privilege concerns detected from the metadata.
What to consider before installing
Before installing or using this skill: (1) Treat it as incomplete — it provides only instructions and expects a scripts/send_email.py that is not included. Do not supply production credentials until you confirm where the sending code will run and can inspect it. (2) Ask the publisher for the implementation or a reputable source/homepage and review the code to ensure it uses credentials safely and does not exfiltrate data. (3) If you must test, use isolated/test accounts and short-lived API keys, limit scopes, and rotate keys afterwards. (4) Be aware batch sending can send large volumes — confirm rate limits and intended recipients to avoid accidental spam. (5) Prefer skills that explicitly declare required env vars/credentials and include or link to auditable code.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9777t055033e6rrmnfyfsppk983haaa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Email Sender

Send emails via SMTP or API providers (SendGrid, Mailgun, Resend).

When to Use

  • User wants to send an email
  • Automated notifications
  • Batch email campaigns
  • HTML email with attachments

Configuration

Set environment variables:

# SMTP mode
export EMAIL_SMTP_HOST="smtp.gmail.com"
export EMAIL_SMTP_PORT="587"
export EMAIL_SMTP_USER="your@email.com"
export EMAIL_SMTP_PASS="your-app-password"

# Or API mode (SendGrid)
export EMAIL_SENDGRID_API_KEY="SG.xxx"

# Or API mode (Resend)
export EMAIL_RESEND_API_KEY="re_xxx"

Usage

python3 scripts/send_email.py \
  --to "recipient@example.com" \
  --subject "Hello" \
  --body "This is the message body" \
  --html  # Optional: send as HTML

With attachments

python3 scripts/send_email.py \
  --to "recipient@example.com" \
  --subject "Report Attached" \
  --body "Please find attached." \
  --attach "/path/to/report.pdf"

Batch sending

python3 scripts/send_email.py \
  --batch recipients.csv \
  --template template.html \
  --subject "Newsletter"

Output

Returns JSON with send status:

{
  "success": true,
  "message_id": "msg_xxx",
  "to": "recipient@example.com"
}

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…