Near Email Reporter
PassAudited by ClawScan on May 1, 2026.
Overview
This is a mostly coherent NEAR email-reporting helper, but it stores SMTP credentials locally and its advertised email/scheduling features are only partially implemented.
This skill appears benign and purpose-aligned, but treat the SMTP password as sensitive. Use an app password, review the local config file permissions, verify any dependency you install, and test whether email delivery and scheduling actually work before relying on the skill for alerts.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read the config file or recover the command invocation may be able to use the SMTP account to send email.
The script accepts an SMTP password as a command-line option and persists it in a local config file. This is expected for SMTP reporting, but it gives the skill access to email-sending credentials.
else if (args[i] === '--pass') options.pass = args[++i]; ... await fs.writeFile(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });Use an app-specific SMTP password, avoid reusing your main email password, protect or delete ~/.near-email/config.json when no longer needed, and consider safer secret-entry methods if modifying the script.
Installing an external package adds supply-chain trust in that package and the npm source used at install time.
Real email sending depends on a user-installed external npm package, but the artifact does not pin a version or declare it as a package dependency. This is a normal integration step, but users should verify what they install.
For actual email sending, install nodemailer: ```bash npm install nodemailer ```
Install dependencies from trusted sources, consider pinning a known-good nodemailer version, and review package changes before using it with SMTP credentials.
A user could believe alerts or scheduled reports are active when the included script only prints what it would do.
The script indicates alert and scheduling behavior is not actually implemented, while the skill description advertises alerts, scheduling, and automatic reporting.
console.log('Alert functionality requires nodemailer for email sending.'); ... console.log(`Would set up alert for ${args[0]} at ${args[1]} NEAR threshold`); ... console.log('Schedule functionality requires cron or job scheduler.');Test the reporting flow before relying on it, and do not treat alerts or scheduled reports as active unless you add and verify real email-sending and scheduler integration.