Email Tool
Send and search emails via Zoho using specified recipients, subject, body, and search queries with optional CC, BCC, and read marking.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 697 · 4 current installs · 4 all-time installs
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill implements sending and searching email over IMAP/SMTP (nodemailer + imap-simple), which is coherent with the description. However the registry metadata claims no required environment variables or primary credential while the SKILL.md and src/index.js clearly require EMAIL_USER and EMAIL_PASS (or an external secrets file). Also the outgoing From address in the code is hardcoded as "Pestward Info", which doesn't match the generic "Email Tool" branding and suggests leftover or repurposed code.
Instruction Scope
SKILL.md and src/index.js instruct the agent to load credentials from either a secrets JSON file at OPENCLAW_SECRETS_DIR (or ~/.openclaw/secrets/email-tool.json) or from environment variables. This requires reading a path in the user's home directory and accessing environment variables (OPENCLAW_SECRETS_DIR, EMAIL_USER, EMAIL_PASS, and optional HOST_/PORT_ vars). Those file/env accesses are reasonable for an email tool but they are not declared in the registry metadata, and the code reads from outside the skill folder (user home), which should be explicit/approved by the deployer.
Install Mechanism
No install spec is provided (instruction-only in registry), but the package includes code and a package.json/package-lock.json listing dependencies on well-known npm packages (nodemailer, imap-simple). Running this code requires those Node dependencies to be installed; absence of an install spec means the runtime or operator must ensure npm deps are installed. The packages themselves are standard for email and not unexpected.
Credentials
Functionally the skill requires EMAIL_USER and EMAIL_PASS and optionally OPENCLAW_SECRETS_DIR and HOST_/PORT_/SECURE settings — but the registry metadata lists no required env vars and no primary credential. That mismatch is significant: the skill will fail without credentials, yet nothing in the registry advertises that requirement or which env vars will be used. The skill also reads HOME/USERPROFILE implicitly to locate the secrets file.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or system-wide settings. It runs as a normal, user-invocable skill and can be invoked autonomously per platform defaults; this is expected for a utility skill. No extra persistent privileges are requested.
Scan Findings in Context
[secret-scan-script-included] expected: The repository includes scripts/secret-scan.js, a local secret-detection helper. Its presence is appropriate and helpful for preventing accidental inclusion of credentials in the skill bundle.
[uses-nodemailer-and-imap-simple] expected: The code imports nodemailer and imap-simple which are the expected libraries for SMTP and IMAP interactions; this is consistent with the declared functionality.
[reads-external-secrets-file-or-env] expected: The skill intentionally reads credentials from an external secrets file (OPENCLAW_SECRETS_DIR or ~/.openclaw/secrets/email-tool.json) or env vars. That is expected for an email client, but those accesses should be explicitly declared in the registry metadata.
What to consider before installing
This skill appears to be an IMAP/SMTP email client for Zoho and contains source code that will read credentials from a secrets file or environment variables. Before installing: (1) verify and accept that the skill needs EMAIL_USER and EMAIL_PASS (the registry entry currently omits these), (2) confirm where you'll store the secrets (OPENCLAW_SECRETS_DIR or env) and ensure the secrets file is protected, (3) review the code yourself (noting the hardcoded sender name "Pestward Info") and ensure there are no unexpected network endpoints, and (4) ensure the platform will install the npm dependencies (nodemailer, imap-simple). If you do not trust the author or cannot provide the required credentials safely, do not install. If you need higher assurance, request the author to update registry metadata to declare required env vars and to explain the "Pestward Info" string or remove it.Like a lobster shell, security has layers — review code before you run it.
Current versionv1.0.2
Download zipemailimaplatestsmtpzoho
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Email Skill
Description: Use this skill to send and read emails (IMAP/SMTP). Designed for Zoho Mail but configurable.
Capabilities: email.send, email.search
Tools
email.send
Send an email to one or more recipients.
Parameters:
to(string, required): Comma-separated list of recipients.subject(string, required): The email subject.body(string, required): The email body (HTML or plain text).cc(string, optional): CC recipients.bcc(string, optional): BCC recipients.
email.search
Search for emails in the inbox.
Parameters:
query(string, required): Search query (e.g.from:example.com,subject:Invoice).limit(number, optional): Max results (default 10).markRead(boolean, optional): Mark as read after fetching (default false).
Configuration (NO HARDCODED SECRETS)
This skill must not contain credentials.
It loads secrets from either:
- A JSON file at
%OPENCLAW_SECRETS_DIR%/email-tool.json(recommended), or - Environment variables (fallback).
Required keys:
EMAIL_USEREMAIL_PASS
Optional (defaults shown):
HOST_IMAP(imap.zoho.com)PORT_IMAP(993)HOST_SMTP(smtp.zoho.com)PORT_SMTP(465)SECURE_SMTP(true)
If you are packaging/uploading this skill: run node scripts/secret-scan.js first.
Files
5 totalSelect a file
Select a file to preview.
Comments
Loading comments…