ClawHub

PayLessTax Email Campaign

PayLessTax email automation system - 4x daily, 250 emails each

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 186 · 1 current installs · 1 all-time installs
byCarl Luis Olivier@wespeakallday
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The declared purpose (sending 4x daily batches, tracking bounces/unsubscribes, managing Gmail via a service account) aligns with the code which sends emails via the Gmail API and uses a service account with subject impersonation. However the registry metadata lists no required credentials or config paths while SKILL.md and index.py clearly expect service-account credentials and a mailing-list file — this mismatch is unexpected and should be corrected.
!
Instruction Scope
SKILL.md instructs scraping the inbox for new contacts and managing Gmail; index.py implements inbox searches for bounces/unsubscribes but does not implement contact scraping or automatic removal of unsubscribes. The instructions also imply domain-wide delegation and inbox access; these are broad operations that give full mailbox access and should be explicitly declared and constrained.
Install Mechanism
There is no install spec (instruction-only + a Python file). The code imports standard Python packages (google client libs, pandas) but does not download arbitrary executables or fetch code from untrusted URLs. Risk from install mechanism itself is low, but runtime dependencies must be present in the environment.
!
Credentials
Although registry metadata lists no required env vars or config paths, SKILL.md documents a GOOGLE_SERVICE_ACCOUNT and the config/settings.json contains a hardcoded path to a service account file under '/home/papawespeak/.openclaw/workspace/secrets/gmail-sa.json'. The skill therefore expects access to highly sensitive Gmail service-account credentials (with gmail.modify scope and impersonation), which is proportionate to mass-emailing but must be declared and audited. The hardcoded secret path is a red flag and may expose or assume access to workspace secrets.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. The agent may invoke the skill autonomously (default), which increases blast radius if credentials are misused — combine that with the broad Gmail credentials requirement and this is an operational concern, though autonomous invocation alone is normal.
What to consider before installing
Do not install or run this skill until the following are clarified and addressed: - Confirm where and how the Gmail service-account JSON is provided. The registry says no required env vars or config paths, but SKILL.md and config/settings.json expect sensitive credentials (and settings.json contains a hardcoded secrets path). Do not supply credentials until you verify the account belongs to you and has the minimal scopes required. - Domain-wide delegation/impersonation is powerful: ensure the service account's privileges are strictly limited and audited. Prefer a dedicated mailbox and least-privilege credentials (not full domain delegation) where possible. - Ask the author to remove or parameterize the hardcoded path (/home/papawespeak/...) in config/settings.json and to declare required env vars/config in the registry metadata (GOOGLE_SERVICE_ACCOUNT, USER_EMAIL, MAILING_LIST_PATH). The registry should reflect actual runtime needs. - Confirm mailing list legality and opt-in status. This code will send high-volume email (1,000/day) — ensure compliance with anti-spam rules, organizational policy, and Gmail sending limits. Validate unsubscribe handling: current code only counts unsubscribe messages and does not automatically remove addresses from lists. - Review and test in a controlled environment with a small opt-in list before scaling. Log and monitor all sending activity and restrict who can provide credentials. If the author cannot or will not explain the credential handling and remove the hardcoded secret path, treat the skill as unsafe to install.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.0
Download zip
latestvk9729rgc5c0vzafc2yjg5n9r6h829v9e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Email Campaign Skill

Overview

High-volume email campaign system for PayLessTax. Delivers 1,000 emails daily in 4 batches.

Purpose

  • Send 250 emails per batch, 4 batches daily (6am, 12pm, 3pm, 6pm)
  • Track bounces and unsubscribes
  • Scrape inbox for new contacts
  • Manage Google Workspace Gmail via service account

Input Variables

VariableDescriptionExample
GOOGLE_SERVICE_ACCOUNTJSON credentials{ "type": "service_account", ... }
USER_EMAILSending user emailclolivier@wespeakallday.com
ALIAS_EMAILFrom addressinfo@paylesstax.co.za
MAILING_LIST_PATHExcel CSV of contacts/workdir/mailing-list.xlsx
BATCH_SIZEEmails per batch250 (do NOT exceed Gmail limits)

Signature Template

Best regards,

The PayLessTax Team
www.paylesstax.co.za | info@paylesstax.co.za

Should you wish to no longer receive these emails, reply with UNSUBSCRIBE

Template Variables (Email Body)

VariableUsage
{{RECIPIENT_NAME}}Parsed from email or "Valued Client"
{{TAX_TIP}}Rotating tax tip of the day
{{PERSONALIZED_OFFER}}Dynamic offer based on last interaction
{{UNSUBSCRIBE_LINK}}For compliance

Triggers

Scheduled via OpenClaw scheduler:

  • 06:00 (Morning batch + inbox scraping)
  • 12:00 (Midday batch)
  • 15:00 (Afternoon batch)
  • 18:00 (Evening batch + maintenance)

APIs & Dependencies

  • Google Gmail API (service account with domain-wide delegation)
  • Pandas (for Excel/CSV contact lists)
  • google-auth,google-auth-oauthlib,google-auth-httplib2,google-api-python-client

Rate Limits

  • Gmail API: 250 messages/user/second (safe limit: 250/batch with delays)
  • Daily quota: Managed across 4 batches

Output

{
  "batch_id": "2026-03-03-06-00",
  "sent_count": 250,
  "failed": 3,
  "bounces": ["bad@example.com"],
  "unsubscribes": ["user@example.com"]
}

Files

  • index.py - Main email sending logic
  • templates/email-body.html - HTML email template
  • .env.example - Environment variables

Compliance Notes

  • Always include physical address
  • Honor unsubscribe within 10 days
  • Include company registration number

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…