super-imap-smtp-email
v1.0.0Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search mailboxes, mark as read/unread, and send emails with attachments. Sup...
⭐ 0· 58·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the included code: the scripts implement IMAP receiving and SMTP sending, multi-account support, and attachment handling. Required binaries (node, npm) are appropriate for the provided Node.js scripts. There are no unrelated service credentials requested.
Instruction Scope
SKILL.md and setup.sh instruct the user to run setup.sh which collects IMAP/SMTP credentials and writes them to ~/.config/imap-smtp-email/.env (with chmod 600). The runtime scripts read that config and only permit file reads/writes within ALLOWED_READ_DIRS/ALLOWED_WRITE_DIRS. This scope is appropriate for an email client, but the skill persists sensitive credentials locally and will send a test email during setup and perform network I/O when used.
Install Mechanism
There is no download/install spec — this is instruction/code-only. package.json declares normal npm dependencies (dotenv, imap, imap-simple, mailparser, nodemailer). Running npm install (not provided automatically) would fetch packages from the public registry; the project does not pull arbitrary binaries or remote archives during install.
Credentials
The registry metadata lists no required environment variables, which is accurate for agent env, but the skill requires and stores IMAP/SMTP usernames and passwords in a local .env file. Those credentials are necessary for the stated purpose, but storing them in plaintext (even with file perms 600) is sensitive and worth noting. The fallback .env in the skill directory is also read if the primary config is missing, which could unintentionally expose credentials if placed there.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It intentionally persists configuration to ~/.config/imap-smtp-email/.env so credentials survive updates — this is expected for an email client. The skill does not modify other skills or system-wide agent settings.
Assessment
This skill appears to be an honest IMAP/SMTP client, but it will ask you for email account credentials and save them in plaintext to ~/.config/imap-smtp-email/.env (setup.sh sets permissions to 600). Before installing, consider: 1) Use an app-specific or dedicated email account/password (Gmail app passwords or service-specific authorization codes) rather than your primary account password. 2) Confirm you trust the package source — running npm install will fetch third-party packages. 3) Keep ALLOWED_READ_DIRS and ALLOWED_WRITE_DIRS restrictive to limit which files the skill can read or write. 4) Be aware the setup script sends a test email (network activity). 5) Remove or rotate credentials if you stop using the skill. If you need stronger protection, use a dedicated mailbox or an authentication method that can be revoked (app passwords) rather than long-lived primary credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk979km0kxev5wzfwq7hmhk7z1x84jcy6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📧 Clawdis
Binsnode, npm