ClawHub

claw-mail

v1.0.0

Multi-account email management skill for IMAP/SMTP. Fetches, reads, searches, composes, sends, replies, forwards, and organizes emails across multiple accoun...

0· 353·0 current·0 all-time
byKamau Wanguhu@borgcube
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (multi-account IMAP/SMTP mail manager) matches the included scripts and libraries (imap_client, smtp_client, account_manager, outbox, composer, S/MIME, OAuth2, etc.). The number and nature of files are proportionate to the claimed feature set (fetch, send, draft, outbox, rules, mail-merge, webhooks, S/MIME).
Instruction Scope
Runtime instructions and scripts stay within the mail-management domain (reading config, connecting to IMAP/SMTP, staging to Outbox, processing rules, saving attachments). However, the rule pipeline supports a 'webhook' action that POSTs JSON payloads including message fields (subject, message_id, sender, matched_rules, tags). If rules/config include external webhook URLs, the skill will transmit email contents to those endpoints. The credential resolution supports op://, keychain://, and env:// URIs, meaning scripts may read environment variables or OS keychain entries if the config references them. These behaviors are plausible for an email processing tool but have data-exfiltration implications depending on configuration.
Install Mechanism
No install spec is provided (instruction-only install), and the package includes the Python scripts directly. That reduces supply-chain risk from remote downloads. The skill requires Python 3.11+ at runtime per SKILL.md but does not attempt to fetch or install arbitrary third-party code during install.
!
Credentials
The registry metadata shows no required env vars, but the code and SKILL.md explicitly support credential URIs: env://VAR_NAME (reads environment variables), keychain://... (macOS Keychain), and op://... (1Password CLI). While this is reasonable for an email client, it means a config file can cause the skill to read arbitrary environment variables or keychain items. Combined with the webhook action, a misconfigured or malicious rules/config can exfiltrate secrets or message contents. The skill therefore has capabilities to access high-value secrets if the user provides URIs in config; that access is not enforced/limited by the metadata.
Persistence & Privilege
always:false and model invocation not disabled (default) — normal. The skill does not claim to modify other skills or system-wide settings. It writes attachments and can create/modify IMAP folders and a local Outbox via IMAP; these are expected for an email client. Because the skill can be invoked autonomously and performs outbound network operations, misconfiguration could increase risk — but autonomous invocation alone is not a disqualifier.
What to consider before installing
This skill seems to implement a full-featured email client and is internally consistent with its description, but it can access credentials (env://, keychain://, op://) and can POST processed message data to arbitrary webhook URLs via rule actions. Before installing: - Review any config.yaml you will use: do not store secrets inline in the skill root. Prefer 1Password or a secure vault over env:// for very sensitive variables. - Inspect rules that include webhook_url and ensure endpoints are trusted; webhook actions will send message metadata (and potentially message content) to external services. - Audit scripts/lib/credential_store.py and references to env:///op:///keychain:// in the repository to confirm exactly how credentials are read and resolved. - If you must test, run the skill in an isolated environment or sandbox and avoid pointing it at production accounts or sensitive environment variables until you are comfortable with its behavior. - If you need stricter guarantees: require that configs do not contain env:// references for secrets, disable webhook rules, or restrict webhook endpoints to known internal services. I judged this 'suspicious' (not 'malicious') because the code and SKILL.md align with an email-management purpose, but the combination of credential resolution and webhook rule actions creates a plausible avenue for data exfiltration if misconfigured or if the config originates from an untrusted source. Additional review of the omitted files (credential_store, processor, webhook implementation) would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk975wy0sdxqbwztn4zww26rqth81z76v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments