ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

osascript-email

v1.0.0

Send automated plain-text emails on macOS via Mail.app using AppleScript without SMTP credentials, suitable for alerts and reports, not bulk or HTML emails.

0· 80·0 current·0 all-time
by@yumik20

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yumik20/osascript-email.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "osascript-email" (yumik20/osascript-email) from ClawHub.
Skill page: https://clawhub.ai/yumik20/osascript-email
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install osascript-email

ClawHub CLI

Package manager switcher

npx clawhub@latest install osascript-email
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and included send_email.py all align: this is an AppleScript/osascript-based helper for Mail.app on macOS. No unrelated credentials, binaries, or cloud APIs are requested.
!
Instruction Scope
Runtime instructions tell the agent to construct and run AppleScript via osascript and provide a Python helper that builds an AppleScript string with user-supplied subject/body/to/attachment_path. The skill instructs use of absolute file paths for attachments (references/attachments.md). These patterns are expected for the task, but constructing AppleScript via naive string interpolation is brittle and can allow script injection or accidental execution of unintended AppleScript if inputs are not properly sanitized. Attachment guidance also enables sending arbitrary local files, which could be used to exfiltrate sensitive data if an agent has file access. The SKILL.md does warn about explicit consent and Automation permissions.
Install Mechanism
No install spec (instruction-only + single Python helper file). No downloading or execution of remote code; lowest-risk install pattern.
Credentials
The skill requests no environment variables or external credentials, which is proportionate. It does require Mail.app to be configured with an account and Automation permission to control Mail.app — these are legitimate for the stated purpose.
Persistence & Privilege
always is false and the skill does not request special persistent privileges or modify other skills. Note: the platform default allows autonomous invocation; combined with the ability to attach/send local files this increases risk if the agent is granted broad file or execution rights.
What to consider before installing
This skill appears to do what it says (send Mail.app messages via AppleScript) but take precautions before installing: (1) Review and test the included scripts locally — the Python helper constructs AppleScript by interpolating user strings; avoid passing untrusted input as subject/body/to/attachment_path. (2) Be careful with attachments: supplying absolute paths lets the skill send arbitrary local files — do not give the agent broad file-system read access or allow autonomous runs that could pick sensitive files. (3) Limit Automation permissions and prefer user-invocable use (do not enable broad autonomous invocation) unless you trust the agent and inputs. (4) If you plan to use this from an automated agent, add input sanitization or stronger quoting to prevent AppleScript injection and carefully audit any cron/agent workflows that call send_email. Additional information that would raise confidence: a hardened escaping routine for AppleScript used in the helper, tests demonstrating safe handling of special characters, or an explicit note limiting agent file-access when used autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk975nantm2sfacbae7fvw64bbx844agz
80downloads
0stars
1versions
Updated 3w ago
v1.0.0
MIT-0
@yumik20
latest
Download

osascript-email

Send email via Mail.app using AppleScript. No password or API key needed — Mail.app handles auth.

Prerequisites

  • macOS with Mail.app installed
  • At least one email account configured in Mail.app
  • Verify the sender address matches a configured Mail.app account
  • Authorization: This skill sends email silently from Mail.app. Only use with explicit user consent. Never use to send on behalf of a user without their knowledge.

Quick send (exec)

Use exec to run an inline osascript command. The script below is the canonical pattern — copy it exactly, then substitute values.

osascript << 'APPLESCRIPT'
tell application "Mail"
  set m to make new outgoing message with properties {subject:"YOUR SUBJECT", content:"YOUR BODY", visible:false}
  tell m
    make new to recipient with properties {address:"recipient@example.com"}
    make new to recipient with properties {address:"cc@example.com"}
  end tell
  send m
end tell
return "sent"
APPLESCRIPT

Escaping rules:

  • Double quotes inside subject/content must be escaped: \"
  • Backslashes must be doubled: \\
  • Newlines inside content: use \n (AppleScript treats literal newlines in the string as content)

Python helper (for agent scripts)

Use when sending email from a Python cron script or agent workflow. Copy the function from scripts/send_email.py — do not rewrite it.

from scripts.send_email import send_email

send_email(
    subject="Daily Report — 2026-01-01",
    body="Here is the summary...",
    to="primary@example.com",
    cc="secondary@example.com",       # optional
    sender="your-mail-app-account@icloud.com"  # must match Mail.app account
)

See scripts/send_email.py for the full implementation.

Multi-recipient

Add additional make new to recipient lines inside the tell m block:

make new to recipient with properties {address:"a@example.com"}
make new to recipient with properties {address:"b@example.com"}

Troubleshooting

SymptomLikely causeFix
osascript: Mail got an errorMail.app not open or account not configuredOpen Mail.app, check accounts
Email lands in Draftssend m not reached (script errored before)Check escape characters
execution error: Mail got an error: Invalid recipientAddress typoVerify recipient address
Email sends but empty bodyNewline escape issue in content stringUse Python helper instead
returncode != 0 with no stderrosascript permission deniedGrant Automation permission: macOS Ventura+: System Settings → Privacy & Security → Automation; older macOS: System Preferences → Security & Privacy → Automation

Limitations

  • Plain text only (no HTML, no inline images)
  • Attachments possible but require additional AppleScript — see references/attachments.md
  • Rate: Mail.app will queue and send; not suitable for bulk sends (>10 emails)
  • Sender must be a configured Mail.app account — cannot spoof arbitrary addresses

Comments

Loading comments...