← Back to Skills Marketplace
1093
Downloads
0
Stars
7
Active Installs
1
Versions
Install in OpenClaw
/install imap-smtp-email-plus
Description
Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search mailboxes, mark as read/unread, and send emails with attachments. Wor...
README (SKILL.md)
IMAP/SMTP Email Tool
Read, search, and manage email via IMAP protocol. Send email via SMTP. Supports Gmail, Outlook, 163.com, vip.163.com, 126.com, vip.126.com, 188.com, vip.188.com, and any standard IMAP/SMTP server.
Configuration
Create .env in the skill folder or set environment variables:
# IMAP Configuration (receiving email)
IMAP_HOST=imap.gmail.com # Server hostname
IMAP_PORT=993 # Server port
[email protected]
IMAP_PASS=your_password
IMAP_TLS=true # Use TLS/SSL connection
IMAP_REJECT_UNAUTHORIZED=true # Set to false for self-signed certs
IMAP_MAILBOX=INBOX # Default mailbox
# SMTP Configuration (sending email)
SMTP_HOST=smtp.gmail.com # SMTP server hostname
SMTP_PORT=587 # SMTP port (587 for STARTTLS, 465 for SSL)
SMTP_SECURE=false # true for SSL (465), false for STARTTLS (587)
[email protected] # Your email address
SMTP_PASS=your_password # Your password or app password
[email protected] # Default sender email (optional)
SMTP_REJECT_UNAUTHORIZED=true # Set to false for self-signed certs
Common Email Servers
| Provider | IMAP Host | IMAP Port | SMTP Host | SMTP Port |
|---|---|---|---|---|
| 163.com | imap.163.com | 993 | smtp.163.com | 465 |
| vip.163.com | imap.vip.163.com | 993 | smtp.vip.163.com | 465 |
| 126.com | imap.126.com | 993 | smtp.126.com | 465 |
| vip.126.com | imap.vip.126.com | 993 | smtp.vip.126.com | 465 |
| 188.com | imap.188.com | 993 | smtp.188.com | 465 |
| vip.188.com | imap.vip.188.com | 993 | smtp.vip.188.com | 465 |
| yeah.net | imap.yeah.net | 993 | smtp.yeah.net | 465 |
| Gmail | imap.gmail.com | 993 | smtp.gmail.com | 587 |
| Outlook | outlook.office365.com | 993 | smtp.office365.com | 587 |
| QQ Mail | imap.qq.com | 993 | smtp.qq.com | 587 |
Important for 163.com:
- Use authorization code (授权码), not account password
- Enable IMAP/SMTP in web settings first
IMAP Commands (Receiving Email)
check
Check for new/unread emails.
node scripts/imap.js check [--limit 10] [--mailbox INBOX] [--recent 2h]
Options:
--limit \x3Cn>: Max results (default: 10)--mailbox \x3Cname>: Mailbox to check (default: INBOX)--recent \x3Ctime>: Only show emails from last X time (e.g., 30m, 2h, 7d)
fetch
Fetch full email content by UID.
node scripts/imap.js fetch \x3Cuid> [--mailbox INBOX]
download
Download all attachments from an email, or a specific attachment.
node scripts/imap.js download \x3Cuid> [--mailbox INBOX] [--dir \x3Cpath>] [--file \x3Cfilename>]
Options:
--mailbox \x3Cname>: Mailbox (default: INBOX)--dir \x3Cpath>: Output directory (default: current directory)--file \x3Cfilename>: Download only the specified attachment (default: download all)
search
Search emails with filters.
node scripts/imap.js search [options]
Options:
--unseen Only unread messages
--seen Only read messages
--from \x3Cemail> From address contains
--subject \x3Ctext> Subject contains
--recent \x3Ctime> From last X time (e.g., 30m, 2h, 7d)
--since \x3Cdate> After date (YYYY-MM-DD)
--before \x3Cdate> Before date (YYYY-MM-DD)
--limit \x3Cn> Max results (default: 20)
--mailbox \x3Cname> Mailbox to search (default: INBOX)
mark-read / mark-unread
Mark message(s) as read or unread.
node scripts/imap.js mark-read \x3Cuid> [uid2 uid3...]
node scripts/imap.js mark-unread \x3Cuid> [uid2 uid3...]
move
Move message(s) to another mailbox/folder. Useful for archiving emails.
node scripts/imap.js move \x3Ctarget-mailbox> \x3Cuid> [uid2 uid3...] [--mailbox \x3Csource>]
Examples:
# Archive to Gmail "All Mail" (归档到所有邮件)
node scripts/imap.js move "[Gmail]/所有邮件" 123 456
# Move to a custom folder
node scripts/imap.js move "Work" 123
# Move from a specific mailbox
node scripts/imap.js move "Archive" 123 --mailbox INBOX
list-mailboxes
List all available mailboxes/folders.
node scripts/imap.js list-mailboxes
SMTP Commands (Sending Email)
send
Send email via SMTP.
node scripts/smtp.js send --to \x3Cemail> --subject \x3Ctext> [options]
Required:
--to \x3Cemail>: Recipient (comma-separated for multiple)--subject \x3Ctext>: Email subject, or--subject-file \x3Cfile>
Optional:
--body \x3Ctext>: Plain text body--html: Send body as HTML--body-file \x3Cfile>: Read body from file--html-file \x3Cfile>: Read HTML from file--cc \x3Cemail>: CC recipients--bcc \x3Cemail>: BCC recipients--attach \x3Cfile>: Attachments (comma-separated)--from \x3Cemail>: Override default sender
Examples:
# Simple text email
node scripts/smtp.js send --to [email protected] --subject "Hello" --body "World"
# HTML email
node scripts/smtp.js send --to [email protected] --subject "Newsletter" --html --body "\x3Ch1>Welcome\x3C/h1>"
# Email with attachment
node scripts/smtp.js send --to [email protected] --subject "Report" --body "Please find attached" --attach report.pdf
# Multiple recipients
node scripts/smtp.js send --to "[email protected],[email protected]" --cc "[email protected]" --subject "Update" --body "Team update"
test
Test SMTP connection by sending a test email to yourself.
node scripts/smtp.js test
Dependencies
npm install
Security Notes
- Store credentials in
.env(add to.gitignore) - For Gmail: use App Password if 2FA is enabled
- For 163.com: use authorization code (授权码), not account password
Troubleshooting
Connection timeout:
- Verify server is running and accessible
- Check host/port configuration
Authentication failed:
- Verify username (usually full email address)
- Check password is correct
- For 163.com: use authorization code, not account password
- For Gmail: use App Password if 2FA enabled
TLS/SSL errors:
- Match
IMAP_TLS/SMTP_SECUREsetting to server requirements - For self-signed certs: set
IMAP_REJECT_UNAUTHORIZED=falseorSMTP_REJECT_UNAUTHORIZED=false
Usage Guidance
This package appears to implement a normal IMAP/SMTP email client, but there are red flags you should consider before installing or entering credentials:
- Credential mismatch: The registry metadata declares no required environment variables, yet the tool requires IMAP_USER/IMAP_PASS and SMTP_USER/SMTP_PASS (sensitive credentials). Treat this as suspicious: verify the author and provenance before supplying credentials.
- Origin/provenance: package.json and README mention 'NetEase' while the registry owner and _meta.json differ—this could be repackaged code. Prefer code from a known/trusted source.
- Install behavior: You must run 'npm install' locally; dependencies are common and expected, but running install will write packages to disk. Inspect the included scripts (imap.js, smtp.js, setup.sh) yourself or in a sandbox before running.
- Minimize exposure: If you decide to test, use an account with no sensitive mail (or an app-specific/test account), and use app-passwords where supported (Gmail app password, authorization codes) rather than your primary account password.
- .env handling: Add the created .env to .gitignore and avoid committing it. Review setup.sh which creates .env to ensure it writes only intended values.
- If you cannot verify the publisher, do not provide real credentials. Consider running the tools in a restricted environment or sandbox and review network connections/logs while testing.
If you want, I can summarize exactly where the code reads/writes credentials and which files to inspect before running, or help craft safer test steps (sandboxed run, throwaway account, or manual credential parsing).
Capability Analysis
Type: OpenClaw Skill
Name: imap-smtp-email-plus
Version: 1.0.0
This skill is classified as suspicious due to critical vulnerabilities, specifically a shell injection risk in `setup.sh` and arbitrary file read/write capabilities in `scripts/imap.js` and `scripts/smtp.js`. The `setup.sh` script expands user-provided `EMAIL` and `PASSWORD` variables directly within a `cat << EOF` block, making it vulnerable to command injection if malicious input is provided. Additionally, `scripts/imap.js` allows writing attachments to arbitrary paths via the `--dir` option in the `download` command, and `scripts/smtp.js` allows reading arbitrary files for email bodies or attachments via `--attach`, `--body-file`, `--html-file`, and `--subject-file` options. While these file operations are inherent to an email client, the lack of input sanitization or sandboxing mechanisms makes them significant vulnerabilities that could be exploited for information disclosure or arbitrary file writes if the agent is compromised, even without explicit malicious intent from the skill author.
Capability Assessment
Purpose & Capability
The skill's name/description (read/send email via IMAP/SMTP) aligns with the included scripts (imap.js, smtp.js) and README: the code implements the documented functionality. However the package author metadata and registry ownership appear inconsistent (package.json/README claim 'NetEase' but registry owner and _meta.json differ), which suggests repackaging or unclear provenance.
Instruction Scope
Runtime instructions and scripts are scoped to IMAP/SMTP operations: connecting to servers, searching/fetching messages, downloading attachments, and sending email. They read a local .env for credentials and may read/write files for attachments and body files (expected for this functionality). The instructions do not contain explicit exfiltration or unexpected external endpoints beyond standard IMAP/SMTP servers.
Install Mechanism
There is no formal install spec in the registry, but the bundle includes package.json and package-lock.json and expects you to run 'npm install'. That pulls common npm libraries (imap, imap-simple, mailparser, nodemailer, dotenv). This is a moderate-risk pattern—dependencies are normal for an email tool, but the lack of an install spec plus bundled code means the package will write dependencies to disk when you run npm install.
Credentials
The metadata lists no required environment variables or primary credential, yet SKILL.md, setup.sh, and the scripts require many sensitive env vars (IMAP_USER, IMAP_PASS, IMAP_HOST, SMTP_USER, SMTP_PASS, SMTP_HOST, etc.). This mismatch (declaring no env needs while actually requiring account credentials and passwords) is an incoherence and increases risk: the skill will need direct access to email credentials but the registry metadata gives no visibility or prompts about that.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or global agent configuration. It writes a .env file in the skill folder via setup.sh (local only) and writes attachments to user-specified directories—expected behavior for an email client.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install imap-smtp-email-plus - After installation, invoke the skill by name or use
/imap-smtp-email-plus - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Added move command to move emails between mailboxes
Metadata
Frequently Asked Questions
What is IMAP/SMTP Email (Plus)?
Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search mailboxes, mark as read/unread, and send emails with attachments. Wor... It is an AI Agent Skill for Claude Code / OpenClaw, with 1093 downloads so far.
How do I install IMAP/SMTP Email (Plus)?
Run "/install imap-smtp-email-plus" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is IMAP/SMTP Email (Plus) free?
Yes, IMAP/SMTP Email (Plus) is completely free (open-source). You can download, install and use it at no cost.
Which platforms does IMAP/SMTP Email (Plus) support?
IMAP/SMTP Email (Plus) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created IMAP/SMTP Email (Plus)?
It is built and maintained by Roccoon (@lroccoon); the current version is v1.0.0.
More Skills