← 返回 Skills 市场
email-reporter
作者
dirkcaiusa
· GitHub ↗
· v1.0.0
· MIT-0
334
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install email-reporter
功能描述
Generic email reporting tool for OpenClaw agents. Auto-converts Markdown to PDF and sends as attachments.
使用说明 (SKILL.md)
Email Reporter Skill
Overview
A unified email reporting tool for OpenClaw agents. Automatically converts Markdown reports to PDF when images are detected, and sends them as attachments.
Features
- Smart Format Detection: Auto-converts to PDF for reports with images or large files (>500KB)
- Markdown Support: Native Markdown rendering with syntax highlighting
- Flexible Configuration: Environment variables or config file for email settings
- Multiple Backends: Support for msmtp, SMTP, and sendmail
Installation
clawhub install email-reporter
Configuration
Option 1: Environment Variables (Recommended)
export EMAIL_SENDER="[email protected]"
export EMAIL_RECIPIENT="[email protected]"
export EMAIL_SMTP_HOST="smtp.qq.com"
export EMAIL_SMTP_PORT="587"
export EMAIL_SMTP_USER="[email protected]"
export EMAIL_SMTP_PASS="your-auth-code"
Option 2: Config File
Create ~/.email_reporter.conf:
{
"sender": "[email protected]",
"recipient": "[email protected]",
"smtp_host": "smtp.qq.com",
"smtp_port": 587,
"smtp_user": "[email protected]",
"smtp_pass": "your-auth-code",
"use_msmtp": false
}
Option 3: Command Line
python3 email_reporter.py report.md --sender [email protected] --to [email protected]
Usage
Basic Usage
# Send report to default recipient
python3 email_reporter.py report.md
# Specify agent name (used in subject)
python3 email_reporter.py report.md --agent "my-agent"
# Custom recipient
python3 email_reporter.py report.md --to "[email protected]"
# Custom subject
python3 email_reporter.py report.md --subject "My Analysis Report"
In Your Agent
import subprocess
# Send a report
subprocess.run([
"python3", "skills/email-reporter/email_reporter.py",
"reports/analysis.md",
"--agent", "invest-agent",
"--to", "[email protected]"
])
File Format Selection
| Scenario | Format | Delivery |
|---|---|---|
| Plain text (\x3C100KB) | Markdown | Direct |
| With images or >500KB | Attachment | |
| Data tables | Markdown + CSV | Attachment bundle |
SMTP Setup Guide
QQ Mail (腾讯)
- Enable SMTP: 设置 → 账户 → 开启SMTP服务
- Generate auth code (not your password!)
- Use auth code as
EMAIL_SMTP_PASS
Gmail
- Enable 2FA
- Generate App Password
- Use app password as
EMAIL_SMTP_PASS
Outlook/Office 365
export EMAIL_SMTP_HOST="smtp.office365.com"
export EMAIL_SMTP_PORT="587"
Troubleshooting
Email not sending
# Test SMTP connection
python3 -c "
import smtplib
s = smtplib.SMTP('smtp.qq.com', 587)
s.starttls()
s.login('[email protected]', 'your-auth-code')
print('Login OK')
"
PDF conversion fails
# Install dependencies
pip install markdown weasyprint
# For Linux (Ubuntu/Debian)
sudo apt-get install libpango-1.0-0 libpangoft2-1.0-0
License
MIT
安全使用建议
This skill generally implements an email-sender that converts Markdown to PDF and sends attachments, but review before installing:
- Security issues to consider:
- send_attachment.py uses subprocess.run(..., shell=True) when invoking msmtp with a command string that includes recipient input. If an attacker can control the recipient value, this can lead to shell injection. Recommend patching to avoid shell=True and use a list-argument invocation.
- The tool will attach and send arbitrary files you point it at (including sensitive files). Only run it in contexts where attachments are safe to send, and do not point it at system or secret files.
- It writes a predictable temporary file (/tmp/email_reporter_msg.eml) when using msmtp, which can cause race conditions or leaking if /tmp is shared—use a secure unique temp file.
- The skill requires sensitive SMTP credentials (EMAIL_SMTP_PASS). The registry metadata omitted required env vars — treat that as an information gap and supply credentials via a secure secret store, not plaintext where possible.
- Operational recommendations:
- If you plan to use msmtp backend, update send_via_msmtp to avoid shell=True and to create a unique temp file (e.g., tempfile.NamedTemporaryFile) and pass arguments as a list.
- Limit the agent's filesystem access (or which reports are passed) so it cannot be used to exfiltrate arbitrary files.
- Verify the pip/system dependencies (markdown, weasyprint, pango libs) in a safe environment before using the skill in production.
Given these implementation issues (command execution with shell=True, omission of declared env requirements, and attachment-of-arbitrary-files behavior), proceed only after reviewing or patching the code and restricting where the skill runs.
功能分析
Type: OpenClaw Skill
Name: email-reporter
Version: 1.0.0
The skill contains a shell injection vulnerability in `send_attachment.py` within the `send_via_msmtp` function, where the `to_addr` variable is directly interpolated into a shell command string (`subprocess.run(..., shell=True)`). While the tool's primary purpose of sending email reports appears legitimate, this flaw could be exploited for arbitrary command execution if the recipient field is controlled by an attacker. No clear evidence of intentional malice, data exfiltration, or prompt injection was found.
能力评估
Purpose & Capability
The code matches the stated purpose: converting Markdown to PDF and emailing attachments via SMTP/msmtp. However the registry metadata lists no required environment variables while the code expects EMAIL_SMTP_PASS, EMAIL_SENDER, EMAIL_RECIPIENT, etc. That mismatch is a configuration/information inconsistency.
Instruction Scope
SKILL.md instructs agents to run the Python scripts directly (subprocess usage example). The scripts read arbitrary report paths and will attach arbitrary files present on disk (expected for an email tool), which means the skill can send any local file the agent is asked to attach. The runtime instructions do not explicitly warn about this risk.
Install Mechanism
No install spec is provided (instruction-only at registry level). SKILL.md lists pip dependencies (markdown, weasyprint) and system libs for PDF rendering — those are reasonable for the stated functionality and the code imports them.
Credentials
The code requires SMTP credentials and sender/recipient configuration to operate, but the skill metadata did not mark any required env vars. Requiring an SMTP password (EMAIL_SMTP_PASS) is expected for sending email, but this sensitive credential is not declared in the registry metadata. The skill passes credentials via environment to subprocesses and will send any file the agent provides as an attachment (potential for exfiltration).
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It does write a config file to the user's home (~/.email_reporter.conf) if the setup wizard is used; otherwise it uses environment variables. No modifications to other skills or system-wide settings are present.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install email-reporter - 安装完成后,直接呼叫该 Skill 的名称或使用
/email-reporter触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
**Major update: email-reporter 2.0.0 adds advanced formatting and configuration options.**
- Automatically converts Markdown reports with images or large files (>500KB) to PDF and sends as attachments
- Supports native Markdown rendering, syntax highlighting, and data tables (CSV attachment)
- Flexible configuration via environment variables, config file, or command line
- Multiple backend options: msmtp, SMTP, and sendmail
- Improved SMTP setup and troubleshooting instructions
元数据
常见问题
email-reporter 是什么?
Generic email reporting tool for OpenClaw agents. Auto-converts Markdown to PDF and sends as attachments. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 334 次。
如何安装 email-reporter?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install email-reporter」即可一键安装,无需额外配置。
email-reporter 是免费的吗?
是的,email-reporter 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
email-reporter 支持哪些平台?
email-reporter 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 email-reporter?
由 dirkcaiusa(@dirkcaiusa)开发并维护,当前版本 v1.0.0。
推荐 Skills