Skillv1.0.0

ClawScan security

OpenClaw Email Manager for Postfic and Dovecot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 12:25 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with an IMAP/SMTP email manager for Postfix/Dovecot — it needs mailbox credentials and a config.json and otherwise behaves as described.
Guidance: This skill appears to do what it says: it needs your mailbox credentials (email/password) to log in to IMAP and SMTP. Before installing, consider: (1) store credentials securely (use an app-specific password or account with limited access), (2) place config.json in a secure path with restricted permissions rather than a world-readable location, (3) review the scripts yourself or run them in a test account to confirm behavior, (4) be aware the code will try multiple config locations including /etc/openclaw and ~/.openclaw — ensure those paths are appropriate for your deployment, and (5) confirm the agent environment has network access only to your mail servers. The only minor metadata inconsistency is that the registry lists no required env vars despite the code supporting EMAIL_*/IMAP_/SMTP_ environment variables; that does not change the overall coherence but you should be aware of it.

Review Dimensions

Purpose & Capability: okName/description match the provided code and SKILL.md: the scripts use imaplib/smtplib to list, read, move, mark, draft, and send messages. No unrelated cloud providers, devops systems, or unrelated credentials are requested.
Instruction Scope: okSKILL.md instructs creating a config.json and running the provided Python scripts. The scripts operate on IMAP/SMTP servers and only reference expected local config locations (repo config, cwd, ~/.openclaw path, /etc/openclaw). They do not instruct reading arbitrary unrelated system files or exfiltrating data to external endpoints beyond the mail servers.
Install Mechanism: okNo install spec; this is an instruction-only skill with bundled Python scripts. It requires only python3 and uses the standard library (imaplib/smtplib). No downloads or external packages are pulled in.
Credentials: noteThe skill expects mailbox credentials (email address/password) but the registry metadata lists no required env vars or config paths. The code will read credentials from config.json or the EMAIL_*/IMAP_/SMTP_ environment variables — so although no env vars were declared in metadata, the scripts will accept them. Providing EMAIL_PASSWORD gives complete mailbox access, which is necessary but sensitive; the skill also looks for config.json in system locations (including /etc/openclaw).
Persistence & Privilege: okalways is false and the skill does not modify other skills or system-wide agent settings. It writes nothing by itself and only reads config.json and environment variables.