ClawHub
Back to skill
v1.0.0

Near Email Reporter

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:28 AM.

Analysis

This is a mostly coherent NEAR email-reporting helper, but it stores SMTP credentials locally and its advertised email/scheduling features are only partially implemented.

GuidanceThis skill appears benign and purpose-aligned, but treat the SMTP password as sensitive. Use an app password, review the local config file permissions, verify any dependency you install, and test whether email delivery and scheduling actually work before relying on the skill for alerts.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
README.md
For actual email sending, install nodemailer:
```bash
npm install nodemailer
```

Real email sending depends on a user-installed external npm package, but the artifact does not pin a version or declare it as a package dependency. This is a normal integration step, but users should verify what they install.

User impactInstalling an external package adds supply-chain trust in that package and the npm source used at install time.
RecommendationInstall dependencies from trusted sources, consider pinning a known-good nodemailer version, and review package changes before using it with SMTP credentials.
Human-Agent Trust Exploitation
SeverityLowConfidenceHighStatusNote
scripts/emailer.js
console.log('Alert functionality requires nodemailer for email sending.'); ... console.log(`Would set up alert for ${args[0]} at ${args[1]} NEAR threshold`); ... console.log('Schedule functionality requires cron or job scheduler.');

The script indicates alert and scheduling behavior is not actually implemented, while the skill description advertises alerts, scheduling, and automatic reporting.

User impactA user could believe alerts or scheduled reports are active when the included script only prints what it would do.
RecommendationTest the reporting flow before relying on it, and do not treat alerts or scheduled reports as active unless you add and verify real email-sending and scheduler integration.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/emailer.js
else if (args[i] === '--pass') options.pass = args[++i]; ... await fs.writeFile(CONFIG_FILE, JSON.stringify(config, null, 2), { mode: 0o600 });

The script accepts an SMTP password as a command-line option and persists it in a local config file. This is expected for SMTP reporting, but it gives the skill access to email-sending credentials.

User impactAnyone who can read the config file or recover the command invocation may be able to use the SMTP account to send email.
RecommendationUse an app-specific SMTP password, avoid reusing your main email password, protect or delete ~/.near-email/config.json when no longer needed, and consider safer secret-entry methods if modifying the script.