Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match an email-sending tool and the Go source implements SMTP sending (STARTTLS, attachments). However the skill metadata declares no required environment variables or primary credential, while both SKILL.md/README and main.go expect SMTP-related environment variables (SMTP_HOST, SMTP_PORT, SMTP_USERNAME, SMTP_PASSWORD, FROM_EMAIL, FROM_NAME). The omission in metadata is an incoherence.
Instruction Scope
SKILL.md instructs the user to set SMTP environment variables and to run a provided executable or use the Go package; it does not request unrelated files or system info. However the documentation embeds an explicit SMTP_PASSWORD value (plaintext example/credential), which is inappropriate to include and increases risk of credential misuse or leakage.
Install Mechanism
There is no install spec (instruction-only) and the repository includes source (main.go). No remote downloads, installers, or archive extraction are specified, which reduces installation risk. The SKILL.md references a prebuilt mail_sender.exe but no download URL is provided.
Credentials
Requesting SMTP credentials (username/password) is proportionate for an email tool, but the skill metadata failing to list these env vars is inconsistent. More importantly, the README/SKILL.md contain an explicit SMTP_USERNAME and SMTP_PASSWORD example (looks like an authorization code) — this is a sensitive secret in plaintext and should be treated as leaked. The number of env vars is reasonable, but the presence of a real credential is a notable risk.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges; always:false and default autonomous invocation settings are normal. It does not modify other skills or global config according to provided files.
What to consider before installing
This appears to be a straightforward SMTP email sender, but there are two issues you should address before installing or running it: (1) the package metadata does not list required environment variables even though the code and docs expect SMTP credentials — treat this as an inconsistency and verify what env vars you must provide; (2) the README/SKILL.md include a plaintext SMTP username and password/authorization-code. Assume that credential is compromised: do not reuse it, do not paste your own real password into examples, and rotate/change any account referenced. Recommended actions: review main.go yourself (or rebuild from source rather than running an unknown mail_sender.exe), remove or replace any hard-coded/sample secrets, update the skill metadata to list required env vars, and supply a dedicated mailbox or app-specific password with minimal privileges. If you cannot verify the origin of the embedded credential, avoid running the prebuilt executable and consider contacting the publisher for clarification.Like a lobster shell, security has layers — review code before you run it.
latestvk97ajrgsv0bp8xwgp6awhk65en84p5b1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.