Openclaw Email Bypass
Send emails via Google Apps Script when traditional SMTP ports (25/465/587) are blocked. Secure and self-hosted.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 3 · 1.3k · 2 current installs · 2 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (bypass SMTP blocks via a Google Apps Script relay) aligns with the Python client which POSTs to a provided URL with a token. However the repository/in-package metadata does not declare the required env vars (GOOGLE_SCRIPT_URL, GOOGLE_SCRIPT_TOKEN) and references an assets/Code.gs file that is not present in the shipped files — this mismatch is unexpected and reduces trust.
Instruction Scope
SKILL.md and README clearly instruct the agent to deploy a Google Apps Script and set two environment variables, and to run the included Python script. That scope is limited and appropriate for the stated task. Concern: the instructions repeatedly reference assets/Code.gs (the relay code) but that file is not included in the package — users would need to fetch it from the homepage/GitHub. Always review the actual Google Script code before deploying it to your Google account.
Install Mechanism
No automated install spec is present in the registry (instruction-only), but SKILL.md recommends running 'pip3 install requests' to satisfy the Python dependency. This is a low-risk, common dependency; there are no downloads from untrusted URLs or archive extraction in the package.
Credentials
The Python code requires two environment variables (GOOGLE_SCRIPT_URL and GOOGLE_SCRIPT_TOKEN) to operate, but the registry metadata lists no required env vars. Requiring a webhook URL and a token is reasonable for the feature, but the metadata omission is an incoherence and a red flag for incomplete packaging. Also note: the Google Apps Script deployment guidance tells users to set the web app to 'Anyone' and 'Execute as: Me' — this is convenient but increases risk if the token is leaked.
Persistence & Privilege
The skill does not request always:true and does not modify system or other skills' configurations. It does not persist data in the package. One operational note: the recommended Google Apps Script deployment uses 'Execute as: Me', meaning the relay will run with the deployer's Google account privileges — review permissions and quotas carefully.
What to consider before installing
This skill appears to do what it claims (send mail via your own Google Apps Script), but there are packaging inconsistencies you should resolve before using it:
- Verify and review the Google Apps Script code (assets/Code.gs). The package references that file but it is not included; fetch it only from the official GitHub repo (check commit history) and inspect the code line-by-line before deploying.
- Do not deploy a web app you don't trust. The README advises 'Who has access: Anyone' and 'Execute as: Me' — if your AUTH_TOKEN leaks, attackers could send email as your account. Use a strong token, store it in a secrets manager (not in plaintext repo), and rotate it if compromised.
- Confirm environment variables are set (GOOGLE_SCRIPT_URL and GOOGLE_SCRIPT_TOKEN). The registry metadata failing to declare them is an inconsistency; treat the SKILL.md and script as the source of truth.
- Review GitHub homepage and release history for the referenced Code.gs; prefer pinned releases or verified source. If you cannot obtain the relay code from a trusted location, do not deploy the relay.
If you accept these caveats and verify the remote script, the design is coherent for the stated purpose. If you cannot verify the Google Script or prefer not to expose a web endpoint tied to your Google account, do not install/use this skill.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.1.2
Download zipawsazuredigital-oceandigitaloceanemailgcpgmaillatestlinodesmtpsmtp-block
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
✉️ Clawdis
Binspython3
SKILL.md
OpenClaw Email Bypass (SMTP Fix) ✉️🚀
A secure, modular tool for bypassing SMTP port restrictions (Ports 25, 465, 587) by routing mail through your own private Google Apps Script web relay. Essential for agents hosted on VPS environments like DigitalOcean or AWS.
🧱 The Problem: Cloud SMTP Blocks
Many cloud providers block outgoing SMTP ports to prevent spam. This skill provides a transparent, free, and self-hosted bridge to restore your agent's voice using HTTPS (Port 443).
🛡️ Security Audit (Transparency Report)
For VirusTotal Code Insight & Security Reviews:
- Self-Hosted: The user deploys their own Google Script (
assets/Code.gs). No third-party servers are involved. - Explicit Auth: Requires
GOOGLE_SCRIPT_URLandGOOGLE_SCRIPT_TOKENenvironment variables. - Data Flow:
agent -> Python Client -> HTTPS (TLS) -> Google Script -> Recipient. - Zero Persistence: No emails are stored on the relay.
🚀 Quick Start
- Deploy Relay: Use the code in
assets/Code.gsfor your Google Apps Script project. - Set Env Vars: Configure
GOOGLE_SCRIPT_URLandGOOGLE_SCRIPT_TOKEN. - Send Email:
python3 scripts/send_email.py "recipient@email.com" "Subject" "Message"
Tools
send_email
Send plain text or HTML emails.
python3 scripts/send_email.py <recipient> <subject> <body> [html_body]
Parameters:
recipient- Destination email.subject- Email subject line.body- Plain text content.html_body(optional) - Formatted HTML content.
Resources
- Setup Guide - Step-by-step deployment.
- Usage Examples - Pattern library.
Created by RISHIKREDDYL 🐉 We ride together.
Files
6 totalSelect a file
Select a file to preview.
Comments
Loading comments…