IMAP/SMTP Email (Plus)
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to be a real IMAP/SMTP email tool, but it asks for powerful email credentials and has risky file/email actions that should be reviewed before use.
Only install this if you are comfortable giving it email account access. Prefer app-specific passwords, keep `.env` private, verify the publisher/source, require confirmation before any email is sent or mailbox is changed, and be cautious downloading attachments until filename sanitization is fixed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and configuring the skill gives it access to private email and the ability to send mail from the configured account.
The skill requires account-level email credentials or app passwords, but the registry metadata lists no primary credential or required environment variables. This is powerful access because it can read and send mail.
IMAP_USER=your@email.com IMAP_PASS=your_password ... SMTP_USER=your@gmail.com SMTP_PASS=your_password
Use app-specific passwords where possible, avoid primary account passwords, keep the `.env` file private, and update the registry metadata to declare the required credentials.
A mistaken or prompt-injected agent action could send unintended email or attachments from the user's account.
The SMTP command sends the email immediately once invoked. The artifacts do not show a built-in confirmation, approval prompt, recipient allowlist, or dry-run step before sending.
const info = await transporter.sendMail(mailOptions);
Require explicit user confirmation before every send, show recipients/subject/body/attachments before sending, and consider a dry-run or allowlist mode.
Downloading an attachment from a malicious email could overwrite or create local files outside the chosen download folder.
Attachment filenames come from email content, but the code joins that untrusted filename directly into the output path and writes it. Filenames containing path traversal sequences could write outside the intended directory.
const filePath = path.join(outputDir, attachment.filename); fs.writeFileSync(filePath, attachment.content);
Sanitize attachment filenames, reject absolute paths and `..` components, write only inside a dedicated safe directory, and avoid overwriting existing files without confirmation.
Private email content may enter the agent conversation, and malicious emails could try to influence the agent's behavior.
Fetched email bodies and HTML are returned to the agent. This is expected for an email-reading skill, but email content is private and can contain untrusted instructions or phishing text.
text: parsed.text, html: parsed.html, snippet: parsed.text ? parsed.text.slice(0, 200) : ...
Treat fetched email content as untrusted data, do not follow instructions found inside emails without user approval, and fetch only the messages needed.
It is harder to confirm who published or maintains the exact package before trusting it with email credentials.
The embedded metadata does not match the registry listing for owner, slug, and version. The package source is also listed as unknown, which creates a provenance gap for a skill that asks for email credentials.
"ownerId": "kn70j4ejnwqjpykvwwvgymmdcd8055qp", "slug": "imap-smtp-email", "version": "0.0.2"
Verify the publisher and source repository before entering credentials, and align package metadata with the registry entry.