ClawHub

Openclaw Email Bypass

v0.1.2

Send emails via Google Apps Script when traditional SMTP ports (25/465/587) are blocked. Secure and self-hosted.

3· 1.6k·1 current·2 all-time
by@rishikreddyl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The stated purpose (bypass SMTP blocks via a Google Apps Script relay) aligns with the Python client which POSTs to a provided URL with a token. However the repository/in-package metadata does not declare the required env vars (GOOGLE_SCRIPT_URL, GOOGLE_SCRIPT_TOKEN) and references an assets/Code.gs file that is not present in the shipped files — this mismatch is unexpected and reduces trust.
!
Instruction Scope
SKILL.md and README clearly instruct the agent to deploy a Google Apps Script and set two environment variables, and to run the included Python script. That scope is limited and appropriate for the stated task. Concern: the instructions repeatedly reference assets/Code.gs (the relay code) but that file is not included in the package — users would need to fetch it from the homepage/GitHub. Always review the actual Google Script code before deploying it to your Google account.
Install Mechanism
No automated install spec is present in the registry (instruction-only), but SKILL.md recommends running 'pip3 install requests' to satisfy the Python dependency. This is a low-risk, common dependency; there are no downloads from untrusted URLs or archive extraction in the package.
!
Credentials
The Python code requires two environment variables (GOOGLE_SCRIPT_URL and GOOGLE_SCRIPT_TOKEN) to operate, but the registry metadata lists no required env vars. Requiring a webhook URL and a token is reasonable for the feature, but the metadata omission is an incoherence and a red flag for incomplete packaging. Also note: the Google Apps Script deployment guidance tells users to set the web app to 'Anyone' and 'Execute as: Me' — this is convenient but increases risk if the token is leaked.
Persistence & Privilege
The skill does not request always:true and does not modify system or other skills' configurations. It does not persist data in the package. One operational note: the recommended Google Apps Script deployment uses 'Execute as: Me', meaning the relay will run with the deployer's Google account privileges — review permissions and quotas carefully.
What to consider before installing
This skill appears to do what it claims (send mail via your own Google Apps Script), but there are packaging inconsistencies you should resolve before using it: - Verify and review the Google Apps Script code (assets/Code.gs). The package references that file but it is not included; fetch it only from the official GitHub repo (check commit history) and inspect the code line-by-line before deploying. - Do not deploy a web app you don't trust. The README advises 'Who has access: Anyone' and 'Execute as: Me' — if your AUTH_TOKEN leaks, attackers could send email as your account. Use a strong token, store it in a secrets manager (not in plaintext repo), and rotate it if compromised. - Confirm environment variables are set (GOOGLE_SCRIPT_URL and GOOGLE_SCRIPT_TOKEN). The registry metadata failing to declare them is an inconsistency; treat the SKILL.md and script as the source of truth. - Review GitHub homepage and release history for the referenced Code.gs; prefer pinned releases or verified source. If you cannot obtain the relay code from a trusted location, do not deploy the relay. If you accept these caveats and verify the remote script, the design is coherent for the stated purpose. If you cannot verify the Google Script or prefer not to expose a web endpoint tied to your Google account, do not install/use this skill.

Like a lobster shell, security has layers — review code before you run it.

awsvk972bt9xhr3wpxv3nkdxmdncq980qhe3azurevk972bt9xhr3wpxv3nkdxmdncq980qhe3digital-oceanvk972bt9xhr3wpxv3nkdxmdncq980qhe3digitaloceanvk972bt9xhr3wpxv3nkdxmdncq980qhe3emailvk972bt9xhr3wpxv3nkdxmdncq980qhe3gcpvk972bt9xhr3wpxv3nkdxmdncq980qhe3gmailvk972bt9xhr3wpxv3nkdxmdncq980qhe3latestvk972bt9xhr3wpxv3nkdxmdncq980qhe3linodevk972bt9xhr3wpxv3nkdxmdncq980qhe3smtpvk972bt9xhr3wpxv3nkdxmdncq980qhe3smtp-blockvk972bt9xhr3wpxv3nkdxmdncq980qhe3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✉️ Clawdis
Binspython3

Comments