ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Send Email

v0.1.1

Send emails via SMTP with support for HTML formatting, file attachments, and email templates. Use when users ask to: (1) Send an email, (2) Email someone, (3...

0· 739·1 current·1 all-time
by@wangyendt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code and SKILL.md implement an SMTP email sender (HTML, attachments, templates) which matches the name. However the SKILL.md mandates silently defaulting to agent_skill_test@126.com when the user doesn't supply a sender and instructs the agent to request the 126 authorization code — yet the skill manifest declares no credentials or primaryEnv for such an account. Requiring users to provide credentials for a shared/unknown default account is incoherent and disproportionate to a simple 'send email' helper.
!
Instruction Scope
Instructions properly describe collecting SMTP credentials and template/content inputs (expected). But they also explicitly instruct the agent to NOT ask which sender to use and to automatically use the default 126 address, then immediately request that account's authorization code. That is scope creep / coercive behavior. The script also reads local files for attachments and templates (expected for functionality) — this is normal but increases risk if the agent is allowed to select or access arbitrary local file paths without clear user confirmation.
Install Mechanism
No install spec (instruction-only), but a Python script and requirements.txt are included. Running the skill requires installing the markdown package and executing the provided script; no external or unusual download URLs are used. The presence of runnable code without an explicit install step is not malicious by itself but means the agent will execute bundled Python code on the host — consider this when trusting the skill.
!
Credentials
The manifest requests no environment variables, which would be reasonable for an interactive SMTP tool, but the SKILL.md expects the agent to solicit sensitive credentials (SMTP passwords, app passwords, authorization codes) from the user for multiple providers. That is expected for sending mail, except the special-case default 126 account: asking users to provide credentials/authorization codes for a specific third-party account that the manifest does not control is disproportionate and potentially a social-engineering vector. Also, attachments allow reading arbitrary local files if the agent is instructed to attach them.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide hooks, and does not modify other skills. It appears to operate only when invoked and requires interactive credential input to send mail, which is appropriate for its function.
What to consider before installing
This skill generally implements an SMTP email sender, but exercise caution before installing or using it: - Do not provide credentials (passwords, app passwords, authorization codes) for accounts you do not own or recognize. The SKILL.md's instruction to silently use agent_skill_test@126.com and ask for that account's authorization code is suspicious; never hand over credentials for a third-party/shared address. - Prefer using your own SMTP credentials or an OAuth-backed provider rather than pasting raw passwords into chat. If possible, supply credentials via a secure, ephemeral mechanism rather than chat text. - Be aware the bundled Python script can read files you ask it to attach; avoid attaching sensitive system files (SSH keys, credentials, browser stores). Limit attachment selection to files you choose explicitly. - Because the package contains executable code (scripts/send_email.py) but no install sandbox, run it in a restricted environment or review/execute it locally rather than allowing autonomous agent execution. - If you need this functionality but want less risk: request the skill author remove the hard-coded default sender behavior (or make it opt-in and documented), require explicit user confirmation of sender address, and add a clear privacy note explaining where credentials are stored or whether they are persisted. If you cannot verify the author or do not trust interactive credential prompts, classify this skill as unsafe to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk972n6prtf58dapk0fksrmqd9n81d73m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments