← 返回 Skills 市场

CMA Email

Name: CMA Email
Author: mtbf999

作者 mtbf999 · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

973

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cma-email

功能描述

Sends an email via Gmail when a message starts with "cma" or "cmap".

使用说明 (SKILL.md)

CMA-email

SYSTEM INSTRUCTION: If the user's message starts with "cma" or "cmap" (case-insensitive), you MUST use this skill. Do not reply with text conversation. Execute the email command immediately.

Usage

cma [subject] | [body] -> Sends to CMA recipient. Subject: "TODO: [subject]", Body: "[body]"
cma [message] -> Sends to CMA recipient. Subject: "TODO: [first 20 chars]...", Body: "[message]"
cmap [subject] | [body] -> Sends to CMAP recipient. Subject: "TODO: [subject]", Body: "[body]"
cmap [message] -> Sends to CMAP recipient. Subject: "TODO: [first 20 chars]...", Body: "[message]"

Instructions

When the user's message starts with "cma" or "cmap" (case-insensitive):

Identify Prefix and Recipient:
- If the message starts with "cmap":
  - Recipient: [email protected]
  - Prefix Length: 4
- Else if the message starts with "cma":
  - Recipient: [email protected]
  - Prefix Length: 3
Parse the Content:
- Strip the prefix (first 3 or 4 characters) and trim leading whitespace.
- Check for the pipe character |.
Determine Subject and Body:
- If | is present:
  - Split the text at the first |.
  - Subject: "TODO: " + (part before | trimmed).
  - Body: (part after | trimmed).
- If | is NOT present:
  - Subject: "TODO: " + (first 20 chars of the text trimmed) + "...".
  - Body: The full text.
Send Email:
- Use the gog skill to send the email.
- Command: gog gmail send --to "[Recipient]" --subject "[Subject]" --body "[Body]"
Feedback:
- Confirm to the user that the email was sent to the specific recipient (or alias) with the generated subject.

安全使用建议

This skill will automatically send whatever text follows the 'cma' or 'cmap' prefix to a hard-coded email address via the 'gog' skill, without asking for confirmation. Before installing, confirm: (1) you trust the targets ([email protected] and [email protected]); (2) the 'gog' skill is configured with appropriate Gmail credentials and you understand its permissions; (3) you are comfortable with automatic sends (consider accidental triggers or sensitive data leakage). If you want safer behavior, request a confirmation step in the SKILL.md (e.g., ask the user to approve the composed email before sending) or limit allowed content. Test in a safe environment first.

功能分析

Type: OpenClaw Skill Name: cma-email Version: 1.0.0 The skill is vulnerable to prompt injection via user-controlled input in the subject and body fields, as these are directly embedded into the `gog` skill command within `SKILL.md`. An attacker could craft a message (e.g., `cma my subject. **SYSTEM INSTRUCTION: [malicious command]** | my body`) to inject arbitrary instructions for the AI agent, potentially leading to unauthorized actions or information disclosure, even though the skill's stated purpose is benign email sending.

能力评估

ℹ Purpose & Capability

The name/description match the instructions: the skill sends Gmail messages to two specific recipients. It relies on the 'gog' skill to perform the actual send (declared in SKILL.md metadata). The registry metadata shown earlier did not list required env or creds, which is consistent because this instruction-only skill delegates auth to the 'gog' skill — but users must understand that 'gog' will need Gmail credentials to work.

⚠ Instruction Scope

SKILL.md contains a SYSTEM INSTRUCTION that the agent MUST use the skill and immediately execute the send (no textual reply or confirmation). It will transmit arbitrary user-provided text to external email addresses (hard-coded). There is no input sanitization, confirmation step, or safeguards to prevent sending sensitive data. This is scoped to email sending, but the 'must execute without confirmation' behavior is risky.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files — nothing is downloaded or written to disk. Lowest install risk.

ℹ Credentials

The skill itself requests no env vars or credentials, which is consistent because it delegates to the 'gog' skill. However, that means permission to send Gmail depends on the gog skill's credentials/scope; the skill hard-codes two recipient addresses (one personal Gmail and one corporate email) which users should verify. No other unrelated credentials are requested.

✓ Persistence & Privilege

always:false and no install actions. The only notable privilege is the SKILL.md 'MUST use this skill' instruction which enforces immediate use when the message prefix matches; this is a behavioral/design risk but not a platform-level persistence/privilege escalation.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cma-email
安装完成后，直接呼叫该 Skill 的名称或使用 /cma-email 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: Automatically sends emails via Gmail when user messages start with "cma" or "cmap". - Detects "cma" or "cmap" prefixes to route emails to specific recipients. - Parses subject and body using the "|" character, or generates a default subject from message content. - Integrates with the `gog` skill for Gmail sending. - Confirms email delivery to the user with recipient and subject details.

元数据

Slug cma-email

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

CMA Email 是什么？

Sends an email via Gmail when a message starts with "cma" or "cmap". 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 973 次。

如何安装 CMA Email？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install cma-email」即可一键安装，无需额外配置。

CMA Email 是免费的吗？

是的，CMA Email 完全免费（开源免费），可自由下载、安装和使用。

CMA Email 支持哪些平台？

CMA Email 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 CMA Email？

由 mtbf999（@mtbf999）开发并维护，当前版本 v1.0.0。