Only read email
ReviewAudited by ClawScan on May 18, 2026.
Overview
The skill’s code matches a read-only email reader, but it requires sensitive mailbox credentials and suggests persistent/global credential storage that is not declared in the registry metadata.
Install only if you are comfortable giving this skill POP3 read access to the mailbox. Use an app-specific or revocable authorization code, avoid saving EMAIL_PASS in global configuration unless necessary, remove it after use, and be cautious when asking the agent to retrieve sensitive emails or verification codes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives the agent mailbox access credentials, which can expose private emails and one-time codes if mishandled.
The script requires mailbox account credentials and uses them to authenticate to POP3, granting read access to the mailbox. This high-impact credential requirement is not reflected by the supplied registry metadata.
missing = [k for k in ("user", "pass_", "server") if not cfg[k]] ... server.user(cfg["user"])
server.pass_(cfg["pass_"])Declare the email credential requirement explicitly, ask for clear user approval before use, prefer app-specific or revocable POP3 authorization codes, and revoke them when no longer needed.
The mailbox secret may remain available beyond a single email-reading task and could be exposed to later agent activity or other configured skills depending on OpenClaw environment handling.
The documented setup path uses a broad configuration patch to persist a sensitive email authorization secret in global OpenClaw configuration, without documented scoping, expiry, or cleanup.
在 OpenClaw 中,可通过 `gateway config.patch` 将环境变量写入全局配置 ... "EMAIL_PASS": "YOUR_AUTH_CODE"
Use a scoped secret store or one-time session configuration instead of global env storage, require explicit confirmation before writing credentials, and document how to remove the stored secret.
Private message contents may enter the agent context, and malicious or confusing email text could try to influence the agent’s behavior.
The script returns full email body text and attachment metadata into JSON for the agent to parse. This is expected for an email reader, but email content is sensitive and can contain untrusted instructions.
"body": get_email_body(msg),
"attachments": get_attachments(msg),Read only the messages needed, avoid bulk retrieval unless requested, and ensure the agent treats email bodies as user data rather than executable instructions.