← Back to Skills Marketplace
xlbbb-cn

smtp-sender

by leonard.w · GitHub ↗ · v1.0.2
cross-platform ⚠ suspicious
1137
Downloads
1
Stars
2
Active Installs
3
Versions
Install in OpenClaw
/install smtp-sender
Description
A skill to send emails with support for markdown, HTML text, and attachments, leveraging existing SMTP configuration in `{skill~}/smtp-config.json`. Includes...
Usage Guidance
What to consider before installing: - The script does send email via SMTP using credentials stored in smtp-config.json next to the skill; those credentials are plaintext in that file. Consider storing SMTP credentials in a secret manager or environment variables rather than a repo file. - SKILL.md promises markdown-to-HTML conversion, retry logic, and logging — none of these are implemented. If you need those features, review and update the code (add a markdown library, add retry/error-handling and persistent logging) before relying on it. - The script will attach any file paths you supply. If you allow automatic or autonomous invocation, be careful: an agent could be instructed to attach and send arbitrary local files (risk of data exfiltration). Restrict autonomous use or add path whitelisting and validation. - The example config contains placeholder credentials and an internal IP — treat it as an example only. Ensure file permissions (chmod 600) and that the skill directory is not world-readable. - If you want to use this skill safely: audit the code, implement missing features properly (markdown conversion, retries, logging), move credentials to a secret store or environment variables, add explicit input validation for attachment paths, and restrict autonomous invocation or require explicit user confirmation before sending. Confidence note: high — the code is small and the mismatches between documentation and implementation are clear. There are no signs of network C2 endpoints or obfuscated code, but the feature/documentation inconsistencies and plaintext credential handling are noteworthy.
Capability Analysis
Type: OpenClaw Skill Name: smtp-sender Version: 1.0.2 The `email_sender.py` script is vulnerable to Local File Inclusion (LFI) via its `--body-file` and `--attachments` arguments. An AI agent, if subjected to prompt injection, could be instructed to provide paths to sensitive local files (e.g., credentials, system configuration) for these arguments, leading to their unauthorized reading and exfiltration via email. While the code itself does not exhibit explicit malicious intent, this capability presents a significant security risk that could be leveraged for data theft.
Capability Assessment
Purpose & Capability
Name/description (SMTP email sender) aligns with the included Python script which sends email via SMTP. However the SKILL.md and description claim additional capabilities — markdown -> HTML conversion, retry logic, and logging — that are not present in the code. That mismatch indicates the documentation overstates functionality.
Instruction Scope
SKILL.md instructs running the included script and points to a local smtp-config.json for credentials, which matches the code's CONFIG_PATH (script directory). But the doc promises automatic markdown conversion, retries and logging which the script does not perform. The script will read any files passed as attachments or body_file and will send them via the configured SMTP server; if invoked autonomously or with user-supplied paths this could be used to exfiltrate files. The usage examples assume the config file is stored alongside the skill and recommends chmod 600, which is reasonable, but there's no built-in secret protection or validation of attachments.
Install Mechanism
No install spec — instruction-only with a small Python script. Nothing is downloaded or written to disk by an installer. This is the lowest install risk.
Credentials
The skill requests no environment variables. SMTP credentials are expected in a local smtp-config.json file (username/password in plaintext). That is proportionate to sending mail but has security implications: secrets are stored in cleartext within the skill directory instead of a secret store or env var. No unrelated credentials are requested.
Persistence & Privilege
always:false and default agent-invocation behavior. The skill does not request persistent system-wide privileges or modify other skills. The main risk relates to what the script can send if invoked autonomously (it can read and attach arbitrary file paths passed to it).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install smtp-sender
  3. After installation, invoke the skill by name or use /smtp-sender
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
- Added smtp-config.example.json to provide a reference SMTP configuration file. - Removed sample and metadata files: .clawhub/origin.json, _meta.json, and smtp-config.json. - No changes to functionality; configuration and documentation remain the same.
v1.0.1
- Skill name updated from "custom-smtp-sender" to "smtp-sender". - No file changes detected; documentation updated only. - All previous features, usage, and descriptions remain unchanged.
v1.0.0
Initial release of custom-smtp-sender. - Send emails using existing SMTP configuration from smtp-config.json. - Supports HTML and Markdown email bodies. - Allows file attachments. - Built-in retry logic on temporary failures. - Email send attempts and errors are logged for auditing and troubleshooting.
Metadata
Slug smtp-sender
Version 1.0.2
License
All-time Installs 2
Active Installs 2
Total Versions 3
Frequently Asked Questions

What is smtp-sender?

A skill to send emails with support for markdown, HTML text, and attachments, leveraging existing SMTP configuration in `{skill~}/smtp-config.json`. Includes... It is an AI Agent Skill for Claude Code / OpenClaw, with 1137 downloads so far.

How do I install smtp-sender?

Run "/install smtp-sender" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is smtp-sender free?

Yes, smtp-sender is completely free (open-source). You can download, install and use it at no cost.

Which platforms does smtp-sender support?

smtp-sender is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created smtp-sender?

It is built and maintained by leonard.w (@xlbbb-cn); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments