Email Monitor
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with email monitoring, but it stores mailbox passwords for persistent scheduled access and has unsafe attachment filename handling that could write files outside the chosen folder.
Install only if you are comfortable giving the agent ongoing IMAP access to the mailbox. Use an app-specific password where possible, protect or delete the local config file when done, review the cron task that gets created, and avoid enabling attachment downloads until filenames are safely constrained.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If attachment download is enabled, a malicious email attachment name could overwrite or create files outside the folder the user selected, within the permissions of the running agent.
Attachment filenames come from email content and are joined directly to the target directory without sanitizing path separators, absolute paths, or traversal such as ../.
filename = decode_str(part.get_filename() or "attachment") filepath = os.path.join(attachment_dir, filename) with open(filepath, "wb") as f:
Sanitize attachment filenames with basename-style handling, reject absolute paths and traversal components, avoid overwriting existing files, and keep all downloads confined to the selected directory.
Anyone or any process that can read the config file may gain access to the mailbox credential, and a regular account password may grant broader account access than needed for read-only monitoring.
The skill requests mailbox credentials and stores them persistently in a local JSON config, including regular account passwords for some providers.
Ask the user to provide: - Their **email address** - Their **app password** (or account password for non-Gmail) Store these in a local config file
Prefer provider app passwords or OAuth tokens with limited scope, document the credential risk clearly, set restrictive file permissions, avoid regular account passwords where possible, and provide instructions to delete the config and rotate credentials.
The mailbox will keep being checked on the chosen schedule until the cron task is removed, which may be surprising if the user later forgets it is running.
The skill creates a persistent scheduled job that continues checking the mailbox after setup.
After user confirms, create the cron job using openclaw: openclaw cron add "<cron-expr>" "检查邮件 <email>" --run "python3 <skill_dir>/scripts/fetch_emails.py --config ..."
Show the user how to list, disable, and remove the cron job, and remind them where the stored credential and state files are located.
A malicious email could include instructions aimed at the AI assistant; if the assistant treats those instructions as commands instead of email content, it could be misled.
Fetched email body text is emitted for the agent/user to read or summarize, and email text is untrusted content that may contain prompt-injection instructions.
"snippet": body,
Add explicit guidance that email contents are untrusted data, must not override user instructions, and should only be summarized or displayed unless the user separately approves an action.