ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proton Bridge Email

Send email through Proton Mail Bridge (localhost SMTP) using age-encrypted credentials. Use when setting up Proton Bridge for an agent mailbox, encrypting Bridge credentials (no 1Password), or sending automated emails (daily reports, alerts) via Proton Bridge.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.5k · 1 current installs · 1 all-time installs
by@boilerrat
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to send mail via Proton Bridge using age-encrypted credentials and the code does exactly that, but the registry metadata lists no required binaries or config paths even though the runtime requires the 'age' binary and specific secret file locations (~/clawd/secrets/proton.env.age and ~/.config/age/keys.txt). The missing declarations are a mismatch between purpose and requested/assumed capabilities.
Instruction Scope
SKILL.md and scripts are narrowly scoped to: encrypt a plaintext env file with age and run a Python script that decrypts that file and sends mail to localhost SMTP. The scripts read the encrypted file and the user's age private key. The sender script intentionally allows self-signed/local certs (ssl._create_unverified_context) to accommodate Bridge on localhost — this is expected but reduces TLS verification and is worth noting.
Install Mechanism
There is no install spec (instruction-only plus two helper scripts). Nothing is downloaded or written by an install step; risk from install-time arbitrary code is low. The presence of code files means the scripts will run on the host when invoked.
!
Credentials
The skill does not declare any required environment variables or config paths, yet it requires access to specific local secret files (~/clawd/secrets/proton.env.age and ~/.config/age/keys.txt) and the 'age' binary. Requesting access to a user's private age key and decrypted credentials is proportionate to the stated function, but the omission from declared requirements is an incoherence and increases the chance a user will be surprised by what the skill accesses.
Persistence & Privilege
The skill is not set to always: true and does not request elevated or persistent system-wide privileges. It does run subprocess('age') and Python code at invocation, but it does not modify other skills or system configurations.
What to consider before installing
This skill appears to implement what it claims (encrypt an env file with age and send mail through local Proton Bridge), but the package metadata omits key runtime requirements. Before installing or running: (1) verify you have the 'age' binary and Python3 available; (2) confirm you are comfortable the script will read your age private key at ~/.config/age/keys.txt and the encrypted file at ~/clawd/secrets/proton.env.age (these paths are hard-coded); (3) inspect send_email.py (it calls the 'age' binary via subprocess and creates an unverified SSL context for localhost), and consider running it in an isolated environment or container if you are unsure; (4) do not store secrets on shared machines and keep file permissions restrictive; and (5) ask the publisher to update metadata to declare required binaries and config paths so the skill's expected privileges are explicit.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk974rv2j8wnwt9z4rqt1n48kt580fpsn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Proton Bridge Email (age-encrypted)

Authored by Boilermolt + Boiler (Chris).

Use Proton Mail Bridge for local SMTP/IMAP and keep credentials encrypted at rest with age.

What this skill provides

  • A minimal SMTP sender: scripts/send_email.py
  • A helper to encrypt the Bridge env file: scripts/encrypt_env.sh
  • Setup notes: references/proton-bridge-setup.md

Expected local secret location

This skill assumes the encrypted env file is at:

  • ~/clawd/secrets/proton.env.age

And your age identity is at:

  • ~/.config/age/keys.txt

The encrypted file should contain at least:

  • PROTON_EMAIL
  • PROTON_BRIDGE_USER
  • PROTON_BRIDGE_PASS (Bridge “Use this password”, not your Proton web password)
  • SMTP_HOST, SMTP_PORT, SMTP_SECURITY

Quick start

  1. Set up Proton Bridge (Linux) → see references/proton-bridge-setup.md.
  2. Create a temporary plaintext env file (e.g., /tmp/proton.env), then encrypt it:
bash scripts/encrypt_env.sh /tmp/proton.env <age-public-key>
  1. Send a test email:
python3 scripts/send_email.py \
  --to you@example.com \
  --subject "Test" \
  --body "Sent via Proton Bridge."

Notes / gotchas

  • Bridge typically uses a local/self-signed cert for TLS on localhost. The sender script allows it.
  • Bridge must be running for localhost SMTP to work.
  • Do not commit or share secrets; only share the .age encrypted file if you intend to.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…