Email Sender Pro
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it claims, but its configuration logic can send an SMTP password or authorization code to the wrong mail provider host if the user follows the documented minimal setup.
Do not use a real SMTP password or authorization code until a dry run shows the exact SMTP host you intended. For non-126 providers, explicitly set `SMTP_HOST` or wait for the config fallback bug to be fixed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or premature run could send an email from the user's mailbox.
The script authenticates to SMTP and sends a real email. This is purpose-aligned, but it is an irreversible account action if run with the wrong recipient, subject, or body.
server.login(config.username, config.password) server.send_message(message)
Use `--dry-run` first and confirm the sender, recipient, subject, body, and resolved SMTP host before any real send.
A mailbox password or SMTP authorization code could be submitted to a mail server for a provider the user did not intend to use.
The script loads embedded config first, then overlays `.env`, but later prefers any existing `SMTP_HOST` over the selected provider preset. Because the embedded config contains `SMTP_HOST=smtp.126.com`, a minimal `.env` selecting `qq`, `sina`, or `aliyun` can still send the user's SMTP secret to `smtp.126.com`.
merged = dict(embedded_values)
merged.update(env_values)
...
host = first_non_empty(values.get("SMTP_HOST"), preset.get("host"))Fix the config logic so embedded values are used only when `.env` is absent, or ensure provider presets override embedded host values when `EMAIL_PROVIDER` is changed. Users should verify the dry-run host before entering or using a real secret.
A user following the documented minimal setup may trust that their selected provider will be used, while the script can resolve a different SMTP host.
The documentation tells users that embedded config is only a fallback and that a preset provider can omit `SMTP_HOST`, but the script's merge behavior can keep the embedded `smtp.126.com` host even when another provider is selected.
Read `.env` from the repo root. If it does not exist, fall back to the embedded config block in this file. ... For preset providers, the minimum practical configuration is: EMAIL_PROVIDER=qq SMTP_PASSWORD=your_smtp_secret FROM_EMAIL=your_email@qq.com
Update the documentation and code so the displayed dry-run configuration and real-send behavior match the stated provider selection rules.