← Back to Skills Marketplace

Skulk Email

Name: Skulk Email
Author: adainthelab

by Ada Vale · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ⚠ suspicious

406

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install skulk-email

Description

Email via DreamHost — read inbox, send email, search messages. Send works from any VPS (including DigitalOcean) by routing through DreamHost's Roundcube webm...

Usage Guidance

This skill is consistent with its description, but keep these practical safety points in mind: - The script requires storing your mailbox password in plaintext in ~/.config/skulk-email/credentials.json. Ensure the directory (700) and file (600) permissions are applied and only use on machines you trust. Consider using an account with limited privileges or an app-specific password where supported. - The send flow automates a webmail login and scrapes tokens; it stores cookies in /tmp and attempts to clean them up on exit, but if the process is killed (SIGKILL) cookies may remain temporarily. Don’t run on multi-user systems where /tmp is shared without appropriate protections. - Webmail automation can be brittle (changes to the Roundcube UI could break it) and may run afoul of provider rate limits or terms of service if abused; avoid bulk sending and respect DreamHost/Gmail policies. - If you need stronger security, consider using an OAuth/app-password approach for Gmail and avoid storing long-lived plaintext passwords. - If you want additional assurance, review the script yourself or run it in a sandbox/VPS you control before linking any production mailbox.

Capability Analysis

Type: OpenClaw Skill Name: skulk-email Version: 1.0.2 The skill provides legitimate email functionality via IMAP and DreamHost Roundcube webmail automation to bypass SMTP blocks. However, it contains a security vulnerability in `scripts/skulk-email.sh` where sensitive email credentials (passwords) are passed as plaintext command-line arguments to a Python subprocess, making them visible to other users on the system via the process list. It also stores session cookies in the shared `/tmp` directory. While these appear to be unintentional design flaws rather than malicious intent, they represent a risk to credential confidentiality.

Capability Assessment

✓ Purpose & Capability

Name/description (DreamHost Roundcube send + IMAP read) align with the script's actions: it reads a local credentials JSON, uses imaplib for IMAP access (imap.dreamhost.com / optionally imap.gmail.com) and uses curl to log in and send via webmail.dreamhost.com. Required binaries (python3, curl, jq) are reasonable and documented.

✓ Instruction Scope

SKILL.md instructs the user to store credentials in ~/.config/skulk-email/credentials.json and run the provided script. The script only reads that file, contacts the documented DreamHost/Gmail endpoints, and writes temporary cookies to /tmp; it does not attempt to read other system files or exfiltrate data to unexpected endpoints.

✓ Install Mechanism

There is no install spec (instruction-only plus an included script), so nothing is downloaded or installed by the skill itself. This minimizes install-time risk. The runtime dependencies are standard, documented binaries.

✓ Credentials

No environment variables, no external API keys, and no unrelated credentials are requested. The only secret required is the mailbox password (DreamHost, and optionally a Gmail app password), stored in the explicitly-documented local JSON file. That storage method and permissions are described in SKILL.md.

✓ Persistence & Privilege

The skill is not always-enabled and does not request persistent system-wide changes or modify other skills. It runs on-demand and performs its actions only when invoked.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install skulk-email
After installation, invoke the skill by name or use /skulk-email
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.2

Frontmatter description now explicitly lists host dependencies (python3, curl, jq) and credential file path (~/.config/skulk-email/credentials.json) with manual setup requirement.

v1.0.1

Added explicit requirements (python3, curl, jq) and security section documenting credential handling, TLS-only transmission, and cleanup behavior.

v1.0.0

Initial release. Read and send email via DreamHost — bypasses SMTP port blocks (DigitalOcean, etc.) by routing sends through Roundcube webmail over HTTPS. IMAP reading for DreamHost and Gmail. No third-party services needed.

Metadata

Slug skulk-email

Version 1.0.2

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 3

Frequently Asked Questions

What is Skulk Email?

Email via DreamHost — read inbox, send email, search messages. Send works from any VPS (including DigitalOcean) by routing through DreamHost's Roundcube webm... It is an AI Agent Skill for Claude Code / OpenClaw, with 406 downloads so far.

How do I install Skulk Email?

Run "/install skulk-email" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skulk Email free?

Yes, Skulk Email is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Skulk Email support?

Skulk Email is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Skulk Email?

It is built and maintained by Ada Vale (@adainthelab); the current version is v1.0.2.

More Skills