ClawHub

Gmail Sender

v1.0.0

Send emails via Gmail SMTP using a Python CLI tool with Google App Password for alerts, notifications, and automated reports.

0· 573·5 current·5 all-time
byJunkai Xue@junkaixue
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a Python CLI named 'gmail-send' and explains how to set GMAIL_USER and GMAIL_APP_PASSWORD, but the skill bundle contains no script, module, or binary implementing that functionality. The registry metadata also lists no required environment variables or primary credential even though the instructions require a sensitive App Password. These inconsistencies mean the package as provided cannot perform its claimed purpose and the manifest doesn't match the runtime instructions.
!
Instruction Scope
Instructions direct the agent/user to set environment variables containing credentials and to execute './gmail-send' (including via cron and from subprocess.run). The instructions do not ask for unrelated files or secrets, but they assume the presence of an executable that is not included. That gap is a scope/integrity problem: the runtime behavior is undefined without the missing artifact. Otherwise the instruction steps are focused on the stated task.
Install Mechanism
There is no install specification (instruction-only). That reduces risk from automatic downloads, but also means required code must be present in the skill bundle — which it is not. Because no install occurs, there is no immediate write/execute risk from an installer, but the lack of included code is a practical problem.
!
Credentials
The instructions require GMAIL_USER and GMAIL_APP_PASSWORD (sensitive credentials). However, the skill metadata declares no required env vars or primary credential. Requesting a Google App Password is proportionate to sending mail, but the mismatch between declared and actual required env vars is a red flag. Users should confirm how credentials are used by reviewing the actual code before supplying secrets.
Persistence & Privilege
The skill is not always:true, does not request system-wide config changes, and contains no install hooks. There is no evidence it requests persistent elevated privileges or modifies other skills. This dimension appears acceptable.
Scan Findings in Context
[no_code_files_detected] unexpected: The regex-based scanner had no code to analyze. SKILL.md references an executable/script 'gmail-send' but the bundle contains only SKILL.md and _meta.json; this absence is not expected for a CLI implementation.
What to consider before installing
Do not install or provide your Gmail App Password until you can inspect the actual code for 'gmail-send'. Ask the publisher for the missing script/source and for corrected metadata that declares the required env vars. When you do review code, check how credentials are read and transmitted (ensure TLS is used and credentials are not logged or exfiltrated). Prefer using a dedicated Google account or OAuth with limited scope rather than a primary personal account App Password. If the publisher cannot provide the executable/source, treat the package as incomplete and avoid supplying secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790y2ec26k60v62wgzmcq5hx81r2s1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments