batch-send-mail
v1.0.0批量发送个性化邮件技能。读取表格(CSV/Excel)中的邮箱列表和变量,替换邮件模板中的占位符后批量发送邮件。支持 HTML 格式、通用附件、SMTP 配置和干运行预览模式。当用户需要批量发送个性化邮件、邮件营销、通知邮件时触发,即使他们说"批量发邮件"、"群发邮件"、"批量发送邮件"也要使用此技能。
⭐ 1· 58·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the included script and examples. The script reads CSV/XLSX, substitutes template variables, supports HTML and attachments, and connects to an SMTP server — all expected for a bulk-mail sender. No unrelated services, binaries, or secrets are requested.
Instruction Scope
SKILL.md and the script stay within the advertised scope (reading a table and template, previewing, and sending via SMTP). The instructions explicitly direct the agent to save SMTP configuration to config/config.ini and to print dry-run email contents to stdout — both expected for preview but worth noting because previews/logs can expose recipients and message bodies (PII).
Install Mechanism
No install specification is provided (instruction-only skill with a Python script and requirements.txt). This is low-risk from an install perspective; dependencies are standard (pandas, openpyxl) and the repository files are direct and readable.
Credentials
The skill requests SMTP credentials (server, port, sender email, password/authorization code) only at runtime — these are proportional to sending mail. However, the script saves credentials in plaintext to a config/config.ini file under the skill directory, which is a security/privacy concern in shared or persistent environments.
Persistence & Privilege
The script persists SMTP credentials on disk (config/config.ini). While the skill does not set always:true, autonomous invocation is allowed by default (disable-model-invocation:false). Persisted credentials combined with autonomous invocation increase the blast radius (the agent or other processes with access to the skill dir could send mail later). This is not proof of maliciousness, but it is a meaningful risk to consider.
Assessment
This skill is internally coherent for sending bulk personalized email, but before installing, consider the following:
- Stored credentials: the script saves SMTP credentials in plaintext to config/config.ini inside the skill folder. If you run this in a shared or cloud environment, those credentials may be accessible to others or other skills. Consider avoiding persistent storage, using per-run CLI flags, or storing credentials in a secure secret manager.
- Use least-privilege credentials: create and use app-specific or limited-scope SMTP credentials (e.g., app passwords), not your primary account password. Rotate credentials after testing.
- Logs and previews: dry-run prints full email bodies and addresses to stdout — avoid running on sensitive data in environments where logs are captured.
- Autonomous invocation: the agent can invoke this skill autonomously by default. If you don’t want the agent to be able to send emails without explicit approval, disable autonomous use of the skill or review the agent's invocation policies.
- Permissions and cleanup: check where config/config.ini is written (SCRIPT_DIR/config/config.ini), restrict file permissions, and delete the file after use if you don’t want persistent credentials.
- Test safely: first run with --dry-run and a small test CSV and non-sensitive credentials to confirm behavior.
If you need advice on secure alternatives (secret managers, ephemeral credentials, or audit controls), provide your runtime environment and I can suggest concrete changes.Like a lobster shell, security has layers — review code before you run it.
latestvk97caqzgf70r5ecdmd76m3n0d584m2mt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.