ClawHub
Back to skill
v0.0.14

IMAP/SMTP Email - Maddy Fix

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 7:07 PM.

Analysis

The skill appears aligned with email reading and sending, but it gives the agent high-impact email authority, including direct sending, without an explicit approval safeguard.

GuidanceBefore installing, confirm you trust the source, use an app password or limited email account if possible, keep TLS certificate verification enabled unless using a trusted self-signed server, and require the agent to ask before sending any email or attachment.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceMediumStatusNote
scripts/imap.js
text: parsed.text,
html: parsed.html,
snippet: parsed.text ? parsed.text.slice(0, 200)

The skill returns email body content to the agent. Email bodies are external, untrusted text and may contain instructions aimed at influencing the agent.

User impactA malicious email could include text that tries to trick the agent into taking actions unrelated to the user's request.
RecommendationTreat email content as untrusted data. Do not let instructions inside emails override the user's instructions.
Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
scripts/smtp.js
const info = await transporter.sendMail(mailOptions);

The skill can directly send email from the configured account. The artifacts do not show an explicit confirmation, dry-run, or approval gate before this high-impact action.

User impactAn unintended or mistaken invocation could send messages or attachments from the user's email account, which may be irreversible and reputationally sensitive.
RecommendationRequire explicit user confirmation before every send operation, especially when recipients, attachments, cc, or bcc are present.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
package.json
"dependencies": {
  "dotenv": "^16.6.1",
  "imap": "^0.8.19",
  "imap-simple": "^5.1.0",
  "mailparser": "^3.9.3",
  "nodemailer": "^7.0.13"
}

The skill relies on npm packages with semver ranges rather than exact pinned versions. These dependencies are purpose-aligned, but future compatible releases could change installed code.

User impactDependency updates from npm may affect the behavior or security of the skill over time.
RecommendationPrefer a lockfile or exact pinned dependency versions, and install only from trusted package registries.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
setup.sh
(cd "$SKILL_DIR" && npm install --production)

The setup helper executes a shell script and installs npm dependencies. This is disclosed and purpose-aligned, but it is still code execution during setup.

User impactRunning setup executes local shell commands and npm install behavior in the skill directory.
RecommendationReview setup.sh before running it and install dependencies from a trusted network and registry.
Cascading Failures
SeverityMediumConfidenceHighStatusNote
scripts/smtp.js
to: options.to,
cc: options.cc || undefined,
bcc: options.bcc || undefined,
attachments: options.attachments || []

The send path supports multiple recipient fields and attachments. A single mistaken command can propagate information outside the local environment.

User impactA wrong recipient, bcc, or attachment could disclose sensitive information to other people.
RecommendationReview recipients and attachments before sending, and consider adding an enforced confirmation step.
Human-Agent Trust Exploitation
SeverityLowConfidenceMediumStatusNote
package.json
"author": "NetEase"

The package metadata makes an official-sounding author claim. Users should verify provenance before assuming the skill is officially maintained by that provider.

User impactA user may place extra trust in the skill based on the apparent publisher identity.
RecommendationVerify the source and maintainer before entering email credentials.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
requires:
  env:
    - IMAP_HOST
    - IMAP_USER
    - IMAP_PASS
    - SMTP_HOST
    - SMTP_USER
    - SMTP_PASS
primaryEnv: SMTP_PASS

The skill explicitly requires mailbox credentials for both IMAP and SMTP, giving it authority to read and send email.

User impactInstalling and configuring the skill grants access to sensitive mailbox contents and the ability to send email as the configured user.
RecommendationUse an app password or dedicated account where possible, limit the mailbox/account scope, and revoke the credential when no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
Configuration is stored at `~/.config/imap-smtp-email/.env` (survives skill updates).

The skill uses persistent local configuration that survives updates and includes sensitive account settings and passwords.

User impactStored credentials and configuration may continue to be reused across future agent sessions until removed or changed.
RecommendationProtect the config file, periodically review its contents, and remove or rotate credentials when the skill is no longer needed.
Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
setup.sh
read -p "Accept self-signed certificates? (y/n): " ACCEPT_CERT
if [ "$ACCEPT_CERT" = "y" ]; then
  REJECT_UNAUTHORIZED="false"

The setup can configure IMAP/SMTP connections to skip certificate verification for self-signed servers. This may be useful for local or private servers, but it weakens protection for credentials and email content in transit.

User impactIf used on an untrusted network or with the wrong server, credentials and email contents could be exposed to interception.
RecommendationOnly accept self-signed certificates for servers you control and trust; otherwise keep certificate verification enabled.