ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Imap Smtp Email Fixed

Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search mailboxes, mark as read/unread, and send emails with attachments. Sup...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 42 · 0 current installs · 0 all-time installs
by@arry8
fork of @gzlicanyi/imap-smtp-email (based on 0.0.10)
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and runtime instructions: the package contains IMAP and SMTP CLI scripts (imap.js, smtp.js), a setup helper, and uses standard email libraries (imap, imap-simple, mailparser, nodemailer). Required binaries (node, npm) are appropriate for a Node.js CLI tool.
!
Instruction Scope
Runtime instructions and scripts read and write configuration files in the user's home (~/.openclaw/.env and optional legacy ~/.config/imap-smtp-email/.env) and the skill directory (config.env). The setup script will append secrets into ~/.openclaw/.env, set file permissions, and run tests that will connect to IMAP/SMTP servers and send a test email to the configured address. These are expected for an email client, but they are potentially surprising or intrusive (automatic test send) so users should be aware.
Install Mechanism
No install spec — instruction-only with included Node.js code. No remote downloads or archive extraction; dependencies are declared in package.json/package-lock and come from npm (standard). This is a low install-risk pattern for a Node.js skill, assuming npm modules are trusted.
!
Credentials
Registry metadata lists no required env vars, but the runtime expects credentials stored in files (~/.openclaw/.env and skill config.env). The setup.sh will write passwords into ~/.openclaw/.env (and set chmod 600). The repository includes a config.env pre-filled with an apparent real Yahoo email and an absolute user path (/Users/barryschneider/Downloads), which leaks PII and suggests leftover developer data. While these items are explainable for an email client, they are out-of-band relative to the registry 'required env' metadata and raise privacy concerns.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It does write to and read from the user's home config (~/.openclaw/.env and config.env in the skill directory), which is appropriate for storing credentials but is a persistence action the user should explicitly consent to.
Scan Findings in Context
[pre-scan-none] expected: Automated pre-scan reported no injection signals. Manual review highlighted behavioral items (writing ~/.openclaw/.env, sending test SMTP email, and an included config.env containing another user's email/path) that are not flagged by regex scans but are relevant to security/privacy decisions.
What to consider before installing
What to consider before installing: - This skill will store your email credentials in files (it appends passwords to ~/.openclaw/.env via setup.sh). Only run setup if you trust the skill and environment; inspect ~/.openclaw/.env afterward and remove unused secrets. - The setup script runs connection tests and will send a test email to the configured address. Expect network activity to your mail servers and one test outbound message. - The repository includes a config.env pre-filled with a Yahoo email and an absolute local path (/Users/barryschneider/Downloads). Treat this as leftover developer data: replace or remove it before running the skill so you don't inherit someone else's configuration or expose local paths. - The tool restricts file reads/writes using ALLOWED_READ_DIRS/ALLOWED_WRITE_DIRS; set these carefully to limit attachment access to only intended folders. - If you have concerns about credentials or unexpected emails, run the skill in an isolated environment (VM/container) and inspect all config files (config.env and ~/.openclaw/.env) before entering real credentials. - If you want greater assurance, request the author/publisher identity (homepage/source unknown) or run the code review yourself; absence of an authoritative upstream repo and the embedded example config increases risk.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.0.0
Download zip
latestvk979sy7fd0hchht5b910qm10cs83rmm5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis
Binsnode, npm

SKILL.md

IMAP/SMTP Email Tool

Read, search, and manage email via IMAP protocol. Send email via SMTP. Supports Gmail, Outlook, 163.com, vip.163.com, 126.com, vip.126.com, 188.com, vip.188.com, and any standard IMAP/SMTP server.

Configuration

Run the setup script to configure your email account:

bash setup.sh

Configuration is split into two files:

  • config.env (skill directory) — server hosts, ports, TLS settings, allowed dirs
  • ~/.openclaw/.env — credentials (user, password, from address)

Legacy fallback: ~/.config/imap-smtp-email/.env (single combined file).

Config file format

# Default account (no prefix)
IMAP_HOST=imap.gmail.com
IMAP_PORT=993
IMAP_USER=your@email.com
IMAP_PASS=your_password
IMAP_TLS=true
IMAP_REJECT_UNAUTHORIZED=true
IMAP_MAILBOX=INBOX

SMTP_HOST=smtp.gmail.com
SMTP_PORT=587
SMTP_SECURE=false
SMTP_USER=your@email.com
SMTP_PASS=your_password
SMTP_FROM=your@email.com
SMTP_REJECT_UNAUTHORIZED=true

# File access whitelist (security)
ALLOWED_READ_DIRS=~/Downloads,~/Documents
ALLOWED_WRITE_DIRS=~/Downloads

Multi-Account

You can configure additional email accounts in the same config file. Each account uses a name prefix (uppercase) on all variables.

Adding an account

Run the setup script and choose "Add a new account":

bash setup.sh

Or manually add prefixed config to config.env and secrets to ~/.openclaw/.env:

# Work account (WORK_ prefix)
WORK_IMAP_HOST=imap.company.com
WORK_IMAP_PORT=993
WORK_IMAP_USER=me@company.com
WORK_IMAP_PASS=password
WORK_IMAP_TLS=true
WORK_IMAP_REJECT_UNAUTHORIZED=true
WORK_IMAP_MAILBOX=INBOX
WORK_SMTP_HOST=smtp.company.com
WORK_SMTP_PORT=587
WORK_SMTP_SECURE=false
WORK_SMTP_USER=me@company.com
WORK_SMTP_PASS=password
WORK_SMTP_FROM=me@company.com
WORK_SMTP_REJECT_UNAUTHORIZED=true

Using a named account

Add --account <name> before the command:

node scripts/imap.js --account work check
node scripts/smtp.js --account work send --to foo@bar.com --subject Hi --body Hello

Without --account, the default (unprefixed) account is used.

Account name rules

  • Letters and digits only (e.g., work, 163, personal2)
  • Case-insensitive: work and WORK refer to the same account
  • The prefix in .env is always uppercase (e.g., WORK_IMAP_HOST)
  • ALLOWED_READ_DIRS and ALLOWED_WRITE_DIRS are shared across all accounts (always unprefixed)

Common Email Servers

ProviderIMAP HostIMAP PortSMTP HostSMTP Port
163.comimap.163.com993smtp.163.com465
vip.163.comimap.vip.163.com993smtp.vip.163.com465
126.comimap.126.com993smtp.126.com465
vip.126.comimap.vip.126.com993smtp.vip.126.com465
188.comimap.188.com993smtp.188.com465
vip.188.comimap.vip.188.com993smtp.vip.188.com465
yeah.netimap.yeah.net993smtp.yeah.net465
Gmailimap.gmail.com993smtp.gmail.com587
Yahoo Mailimap.mail.yahoo.com993smtp.mail.yahoo.com465
Outlookoutlook.office365.com993smtp.office365.com587
QQ Mailimap.qq.com993smtp.qq.com587

Important for Gmail:

  • Gmail does not accept your regular account password
  • You must generate an App Password: https://myaccount.google.com/apppasswords
  • Use the generated 16-character App Password as IMAP_PASS / SMTP_PASS
  • Requires Google Account with 2-Step Verification enabled

Important for 163.com:

  • Use authorization code (授权码), not account password
  • Enable IMAP/SMTP in web settings first

IMAP Commands (Receiving Email)

check

Check for new/unread emails.

node scripts/imap.js [--account <name>] check [--limit 10] [--mailbox INBOX] [--recent 2h]

Options:

  • --limit <n>: Max results (default: 10)
  • --mailbox <name>: Mailbox to check (default: INBOX)
  • --recent <time>: Only show emails from last X time (e.g., 30m, 2h, 7d)

fetch

Fetch full email content by UID.

node scripts/imap.js [--account <name>] fetch <uid> [--mailbox INBOX]

download

Download all attachments from an email, or a specific attachment.

node scripts/imap.js [--account <name>] download <uid> [--mailbox INBOX] [--dir <path>] [--file <filename>]

Options:

  • --mailbox <name>: Mailbox (default: INBOX)
  • --dir <path>: Output directory (default: current directory)
  • --file <filename>: Download only the specified attachment (default: download all)

search

Search emails with filters.

node scripts/imap.js [--account <name>] search [options]

Options:
  --unseen           Only unread messages
  --seen             Only read messages
  --from <email>     From address contains
  --subject <text>   Subject contains
  --recent <time>    From last X time (e.g., 30m, 2h, 7d)
  --since <date>     After date (YYYY-MM-DD)
  --before <date>    Before date (YYYY-MM-DD)
  --limit <n>        Max results (default: 20)
  --mailbox <name>   Mailbox to search (default: INBOX)

mark-read / mark-unread

Mark message(s) as read or unread.

node scripts/imap.js [--account <name>] mark-read <uid> [uid2 uid3...]
node scripts/imap.js [--account <name>] mark-unread <uid> [uid2 uid3...]

list-mailboxes

List all available mailboxes/folders.

node scripts/imap.js [--account <name>] list-mailboxes

list-accounts

List all configured email accounts.

node scripts/imap.js list-accounts
node scripts/smtp.js list-accounts

Shows account name, email address, server addresses, and configuration status.

SMTP Commands (Sending Email)

send

Send email via SMTP.

node scripts/smtp.js [--account <name>] send --to <email> --subject <text> [options]

Required:

  • --to <email>: Recipient (comma-separated for multiple)
  • --subject <text>: Email subject, or --subject-file <file>

Optional:

  • --body <text>: Plain text body
  • --html: Send body as HTML
  • --body-file <file>: Read body from file
  • --html-file <file>: Read HTML from file
  • --cc <email>: CC recipients
  • --bcc <email>: BCC recipients
  • --attach <file>: Attachments (comma-separated)
  • --from <email>: Override default sender

Examples:

# Simple text email
node scripts/smtp.js send --to recipient@example.com --subject "Hello" --body "World"

# HTML email
node scripts/smtp.js send --to recipient@example.com --subject "Newsletter" --html --body "<h1>Welcome</h1>"

# Email with attachment
node scripts/smtp.js send --to recipient@example.com --subject "Report" --body "Please find attached" --attach report.pdf

# Multiple recipients
node scripts/smtp.js send --to "a@example.com,b@example.com" --cc "c@example.com" --subject "Update" --body "Team update"

test

Test SMTP connection by sending a test email to yourself.

node scripts/smtp.js [--account <name>] test

Dependencies

npm install

Security Notes

  • Credentials are stored in ~/.openclaw/.env with 600 permissions (owner read/write only). Connection config is in config.env in the skill directory
  • Gmail: regular password is rejected — generate an App Password at https://myaccount.google.com/apppasswords
  • For 163.com: use authorization code (授权码), not account password

Troubleshooting

Connection timeout:

  • Verify server is running and accessible
  • Check host/port configuration

Authentication failed:

TLS/SSL errors:

  • Match IMAP_TLS/SMTP_SECURE setting to server requirements
  • For self-signed certs: set IMAP_REJECT_UNAUTHORIZED=false or SMTP_REJECT_UNAUTHORIZED=false

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…