my_send_email
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill does send email as described, but it embeds a corporate SMTP password and can send messages from that account without a user-managed credential.
Do not use this skill with the embedded credential as-is. The sender password should be rotated and replaced with a properly declared, user-controlled secret, and users should confirm every email before it is sent.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the skill artifact may be able to use or extract the SMTP credential and send email as the configured sender account.
The skill embeds and uses a fixed SMTP account password rather than a declared, user-supplied, or securely stored credential.
sender = "ai_assistant@cloudtrend.com.cn"; password = "..."; server.login(sender, password)
Remove the hardcoded password, rotate the exposed SMTP credential, and require a declared secret mechanism such as a user-provided environment variable, OAuth flow, or credential store with clear scoping.
If invoked with the wrong recipient or content, the skill can send an unintended external email.
The tool sends an external email to the receiver argument. This is expected for the skill, but the artifacts do not show recipient validation, rate limiting, allow-listing, or an explicit confirmation step.
msg["To"] = receiver ... server.send_message(msg)
Confirm recipient, subject, and body before sending, and consider adding recipient validation, rate limits, or explicit user approval for each email.