email-cron-handler
WarnAudited by ClawScan on May 18, 2026.
Overview
This skill is openly designed for email-driven automation, but it gives scheduled emails broad control over an AI agent while handling mailbox credentials and authorization too loosely.
Install only if you intentionally want a mailbox to control an agent. Before use, require a non-empty verified sender whitelist, avoid putting email passwords in prompts or cron payloads, restrict what emailed commands can do, and add a clear way to stop the scheduled jobs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A whitelisted, compromised, or spoofed sender could cause the agent to attempt unintended tasks and return the results by email.
The template explicitly makes external email content authoritative instructions for the agent and does not limit those instructions to a narrow safe command set.
⚠️ 核心任务:读取 {WHITELIST_SENDER} 发来的邮件,邮件内容是你需要执行的指令! ... b. 尝试执行该指令(查询天气/搜索信息/执行操作等)Treat email bodies as untrusted input; require a strict command allowlist, stronger sender authentication, and explicit approval for sensitive or irreversible actions.
The scheduled job could repeatedly perform unintended operations from email commands without the local user reviewing each request.
The documented workflow schedules autonomous agent turns that fetch email, execute requested instructions, and reply, with no per-action approval or constrained tool boundary.
cron add --name "邮件指令-白天" ... --schedule "expr" "* 7-23 * * *" ... --payload '{"kind":"agentTurn","message":"...执行指令并回复结果..."}'Constrain the actions the cron job may perform, require confirmation for destructive/account-changing/public actions, and log or preview replies before sending them.
A configuration mistake could turn every recent inbox message into a possible agent command source.
The main authorization control fails open: if whitelist_sender is blank or misconfigured, the code processes messages from any sender.
whitelist = config.get('whitelist_sender', '').lower(); if whitelist and sender != whitelist: continueFail closed when no whitelist is configured, validate configuration at startup, support explicit approved sender lists, and verify sender identity more strongly than a From-header comparison.
Mailbox credentials may be stored in scheduler configuration or exposed to model/session logs, and they grant both email-reading and email-sending authority.
The reference template places mailbox credentials directly into the agent instruction/cron payload rather than using a declared secure credential mechanism.
IMAP登录: user={EMAIL}, password={PASSWORD}, host={IMAP_HOST}, port={IMAP_PORT}; SMTP登录: user={EMAIL}, password={PASSWORD}, host={SMTP_HOST}, port={SMTP_PORT}Use a secret store or environment variables with least-privilege app passwords, declare the credential requirement in metadata, and avoid embedding passwords in prompts.
Once configured, the agent may continue checking email and acting on remote instructions even when the user is not present.
The skill documents persistent scheduled agent execution for most of the day and night, but does not document a kill switch, expiry, rate limit, or safe teardown.
白天模式(每分钟) ... 7:00-23:00,每分钟执行 ... 夜间模式(每30分钟)
Add clear enable/disable and uninstall instructions, rate limits, audit logs, and an expiration or confirmation requirement for long-running automation.