Skillv1.0.0

ClawScan security

Mufi Email Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 16, 2026, 3:38 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package behaves like an IMAP/SMTP email manager (which justifies asking for email credentials), but the registry metadata, install spec, and runtime instructions are inconsistent and some referenced scripts are missing — review before installing or supplying credentials.
Guidance: This package is an on-premises IMAP/SMTP email manager and the code matches the described features, but there are several red flags you should consider before installing or providing credentials: - The registry metadata declares no required env vars, but SKILL.md and the code require many email account credentials (GMAIL_*, NAVER_*, DAUM_*, KAKAO_*). Do not provide passwords to a skill whose metadata omits this requirement without verification of the publisher. - SKILL.md references scripts (digest.js, send.js, search.js) that are not included in the file list. Confirm the repository is complete and maintained, or ask the author for the missing files. - The project expects a .env at ../../.env (repo root). Ensure you add .env to .gitignore before creating it to avoid accidentally committing secrets. - Prefer using app-specific passwords or OAuth flows (especially for Gmail) rather than your primary account password. This code uses basic username/password auth for IMAP/SMTP which may require app passwords for some providers. - Review the code locally (you already have all source files) and run npm install in an isolated environment (container or VM) if you want to test. Check network activity if you are concerned about exfiltration — this repo only uses IMAP/SMTP and does not contain obvious remote exfil endpoints, but mismatched metadata and missing files are a sign to be cautious. If you plan to use it, verify the missing scripts, confirm the author/source, and only use account credentials you are willing to expose to a local tool (or better, use app-specific credentials).

Review Dimensions

Purpose & Capability: concernThe skill's name and description match the code: it connects to IMAP/SMTP, summarizes, filters, and replies. However, the registry metadata claims no required environment variables or install steps while SKILL.md and the code expect many account credentials (GMAIL_*, NAVER_*, DAUM_*, KAKAO_*), a .env file, and an npm install. That mismatch (metadata says none, runtime needs many secrets) is an incoherence.
Instruction Scope: concernSKILL.md instructs creating a .env with many credentials and running several scripts. The included scripts implement checking, filtering, summarizing, and replying — which is consistent. However, SKILL.md references additional commands/scripts (node scripts/digest.js, send.js, search.js) that are not present in the provided file manifest, creating a gap between documentation and code. Also lib/config.js loads .env from ../../.env (repository root), which may be unexpected and increases the risk of accidental credential commits if .gitignore is not configured.
Install Mechanism: noteThere is no formal install spec in the registry, but a package.json and SKILL.md recommend running npm install. The dependencies are standard (imap, mailparser, nodemailer, dotenv) from the public npm registry — moderate but expected risk. The absence of an explicit install block in the registry metadata is inconsistent with the presence of code and package.json.
Credentials: concernThe skill legitimately needs IMAP/SMTP credentials to operate, but the registry claims no required env vars or primary credential. That omission is important: users would not be warned that they must provide plaintext account passwords (or app-specific passwords). The code expects many sensitive env vars (username/password for multiple providers); requesting multiple unrelated account credentials is proportionate to the stated purpose only if the user intends to manage multiple accounts, but it must be explicit. The advice to add .env to .gitignore is present, but the tool still requires storing secrets locally in plaintext if used as-is.
Persistence & Privilege: okThe skill does not request 'always: true' nor attempt to modify other skills or system-wide settings. It operates as normal command-line scripts and does not request elevated persistence or platform-level privileges.