Custom Smtp Sender
v1.0.0A skill to send emails with support for markdown, HTML text, and attachments, leveraging existing SMTP configuration in `/home/bb/.openclaw/smtp-config.json`. Includes retry logic and logging.
⭐ 1· 1.7k·3 current·6 all-time
by@scccmsd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (sending email via existing SMTP config) matches the code's behavior (email_sender.py reads /home/bb/.openclaw/smtp-config.json and uses smtplib). However the registry metadata claimed no required config paths or credentials, which is incorrect: the code will unconditionally read a user-specific config file containing SMTP username/password. Also the SKILL.md shows a CLI called 'custom-smtp-sender' but no wrapper/installation is provided — the repository only contains a Python script, so the promised CLI name and distribution are inconsistent.
Instruction Scope
SKILL.md describes retries, logging, and advanced behavior, but the provided email_sender.py contains no retry logic and no explicit logging/audit trail. The runtime instructions encourage attaching arbitrary files; while that is expected for an email sender, the skill will read arbitrary local files passed as attachments (and a body-file) and transmit them — the metadata did not declare that file access/exfiltration capability. The instructions also reference a specific config path (/home/bb/.openclaw/smtp-config.json) that is not declared in the registry.
Install Mechanism
No install spec is provided (instruction-only), which reduces supply-chain risk. However the package includes a Python script intended to be run as a CLI; there is no installer or wrapper that provides the 'custom-smtp-sender' command referenced in SKILL.md. Users would need to run the script directly or create their own wrapper.
Credentials
The skill requires SMTP credentials (username/password) stored in a local JSON file, but the registry metadata lists no required credentials or config paths. That is a material omission: the skill will access a sensitive local file without declaring it. Requesting a file containing SMTP credentials can be legitimate for an email sender, but the lack of disclosure and the hard-coded, user-specific path (/home/bb/...) are disproportionate and surprising.
Persistence & Privilege
The skill does not request persistent/autonomous privileges (always: false) and does not modify other skills or system-wide settings. It does perform network I/O (SMTP) when invoked, which is expected for its purpose.
What to consider before installing
This skill is internally inconsistent in ways that matter for security. Before installing or running it: 1) Review and confirm the SMTP config file path and contents — the code reads /home/bb/.openclaw/smtp-config.json and will use whatever credentials are stored there; ensure that's intended and secured. 2) Don't assume retries or logging exist — the code lacks retry logic and explicit logging despite SKILL.md claims. 3) The SKILL.md references a 'custom-smtp-sender' CLI but only a Python script is provided; you will need to run the script directly or create a wrapper. 4) Treat attachments/body-file behavior carefully: the script will read any local file you point it to and send it over the network; only attach files you trust. 5) If you want to use this skill, consider editing the code to (a) accept a configurable config path or environment variables instead of a hard-coded /home/bb path, (b) add explicit retry and logging as promised, and (c) validate/limit attachment paths. 6) If you are unsure about the source, run it in an isolated environment or container and inspect/modify the code before providing any credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk977hsc1d01beqrk04r8t9ch5x80jnbj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.