IMAP Email Reader
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: imap-email Version: 1.0.3 The skill is classified as suspicious due to the presence of a configurable option, `IMAP_REJECT_UNAUTHORIZED=false`, which, while documented for specific use cases like ProtonMail Bridge, introduces a significant man-in-the-middle (MITM) vulnerability if enabled without proper understanding or in untrusted environments. Additionally, the `setup.sh` script directly writes user-provided credentials into the `.env` file. While the Node.js script loads these as environment variables, this pattern of direct user input handling in a shell script can be a vulnerability if not carefully implemented or if the input is maliciously crafted, even if not immediately exploitable for shell injection in this specific context. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints, backdoors, or stealthy operations.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this skill with the configured credentials can read email and change read/unread state.
The skill authenticates to the user's IMAP account using local environment credentials. This is expected for an email reader, but it grants access to private mailbox data.
user: process.env.IMAP_USER, password: process.env.IMAP_PASS
Use app-specific or Bridge-generated passwords, limit mailbox access where possible, and only install this for agents you trust with your email.
An agent could mark important messages as read or unread if given broad instructions.
The skill can mutate mailbox state by marking messages read or unread. This is disclosed and aligned with the skill purpose, but it is still a user-visible account change.
await connection.addFlags(uids, '\\Seen'); ... await connection.delFlags(uids, '\\Seen');
Require explicit user approval before changing message flags, especially for bulk UID lists.
A malicious email could try to influence the agent while it summarizes or processes messages.
Fetched email bodies are returned to the agent. Email is untrusted content and may contain instructions attempting to manipulate the agent.
text: parsed.text, html: parsed.html
Treat email bodies as data, not instructions; the agent should ignore commands embedded inside emails.
Installing the skill requires trusting the listed npm packages and their transitive dependencies.
The skill depends on third-party npm packages, which is expected for IMAP and mail parsing. A package-lock is present, reducing but not eliminating supply-chain risk.
"dependencies": {
"imap-simple": "^5.1.0",
"mailparser": "^3.7.1",
"dotenv": "^16.4.7"
}Install from the included lockfile, keep dependencies updated, and review dependency changes before upgrading.
If copied as written, private email summaries could be sent on a schedule to a phone number that may not belong to the user.
The documented cron workflow automatically summarizes email and delivers it to an iMessage destination with a hardcoded phone number, creating an unclear external data boundary.
clawdbot cron add ... --message "Check for new ProtonMail emails and summarize them" --deliver --channel imessage --to "+15085600825"
Remove the hardcoded recipient, require the user to choose their own destination, and make recurring delivery opt-in with clear review and cleanup instructions.
Users may believe their email password file is protected from accidental commits when the reviewed package does not show that protection.
The supplied file manifest does not include a .gitignore or .env.example, while setup.sh writes IMAP_PASS into .env. The documentation therefore makes a credential-safety claim not backed by the provided artifacts.
The `.env` file is automatically ignored by git ... It's already in `.gitignore`
Include a .gitignore that excludes .env, provide .env.example, consider chmod 600 for .env, and correct the registry metadata to declare the credential requirement.