ClawHub

Gosmtp

Security checks across malware telemetry and agentic risk

Overview

This email-sending skill is review-worthy because it asks for SMTP credentials, includes a credential-like password in its documentation, and its built-in send command emails a fixed external recipient.

Do not use the included SMTP password. If you install or adapt this skill, replace it with your own scoped app password, verify every recipient before sending, and avoid running the built-in send command unless the hardcoded recipient has been removed.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

Running the send command could send mail from the configured SMTP account to a recipient the user did not choose.

Why it was flagged

The built-in sendEmail path sends to a hardcoded external address with no CLI recipient parameter or clear user scoping.

Skill content
email := &Email{ To: []string{"siysun@outlook.com"}, Subject: "[Agent 测试] 邮件发送功能验证", ... }
Recommendation

Require the recipient, subject, and body to be supplied by the user at runtime, and clearly confirm before sending any email.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Users may unknowingly grant email-sending authority or use/publish credentials in an unsafe way.

Why it was flagged

The skill documentation includes a concrete SMTP username and credential-like password even though the registry declares no required credentials or environment variables.

Skill content
$env:SMTP_USERNAME="siysunopcl@qq.com"
$env:SMTP_PASSWORD="wfpjoocjildcbjeh"
Recommendation

Remove the credential-like value, declare required SMTP env vars in metadata, and instruct users to provide their own scoped app password or test account.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

A user may be unable to reproduce the documented setup or may look for an unreviewed executable elsewhere.

Why it was flagged

The documentation references an executable and module file that are not present in the provided file manifest, so the runnable packaging is incomplete or inconsistent.

Skill content
- `mail_sender.exe` - 编译后的可执行文件(5.3MB)
- `go.mod` - Go 模块定义
Recommendation

Provide the referenced build files in the package, or update the instructions to match the actual reviewed source files.