Is imap-smtp-email safe?

https://clawhub.ai/gzlicanyi/imap-smtp-email

62
CAUTION

This skill provides legitimate IMAP/SMTP email functionality but creates significant security exposure. The unrestricted ability to send emails with arbitrary file attachments creates a complete data exfiltration channel — any prompt injection from email content, other skills, or user documents could instruct the agent to silently email sensitive files to an attacker. The requirement for plaintext credential storage and the use of an unmaintained IMAP library add further risk. No malicious intent detected, but the capability surface is dangerous in a multi-skill agent environment.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (10)

CRITICAL Unrestricted email sending capability -40

The skill grants the AI agent the ability to send emails to any recipient with any content and any file attachment. Combined with filesystem read access, this creates a complete data exfiltration channel. A prompt injection from any source could instruct the agent to silently email sensitive files to an attacker.

HIGH Arbitrary file attachment without path restriction -30

The smtp.js --attach flag resolves any file path via path.resolve() and attaches it to outgoing email. No sandboxing, no path validation, no allowlist. The agent can attach /etc/passwd, ~/.ssh/id_rsa, .env files, or any other readable file.

HIGH Arbitrary file read via --body-file and --subject-file -20

The smtp.js send command accepts --body-file, --html-file, and --subject-file flags that read arbitrary files from disk and include their contents as the email body or subject. This can exfiltrate file contents.

HIGH Plaintext credential storage required -15

The skill requires email passwords/authorization codes stored in plaintext in a .env file. These credentials are accessible to any other skill or process in the same environment.

HIGH AWS credentials file accessed during installation -35

Filesystem monitoring detected that /home/oc-exec/.aws/credentials was opened and read during the install phase. While this may be the OpenClaw runtime rather than the skill itself, it represents access to sensitive credential files during skill installation.

MEDIUM Attachment download to arbitrary paths -10

The imap.js download command writes email attachments to any directory specified by --dir, with recursive directory creation. Could be used to write malicious files to sensitive locations.

MEDIUM Unmaintained imap dependency -15

The imap npm package (^0.8.19) has been unmaintained since 2017. Unmaintained dependencies may contain unpatched vulnerabilities and represent supply-chain risk.

MEDIUM Unused imap-simple dependency -5

package.json includes imap-simple as a dependency but neither imap.js nor smtp.js imports it. Unnecessary dependencies increase attack surface without providing value.

LOW SKILL.md requests no elevated permissions -10

The SKILL.md does not contain any prompt injection patterns, hidden instructions, or attempts to override system behavior. It straightforwardly documents CLI usage.

INFO NetEase-optimized with hardcoded IMAP ID -5

The skill hardcodes an IMAP ID object with vendor 'netease' and support-email '[email protected]' for 163.com compatibility. This is a known requirement for NetEase IMAP servers but reveals the skill's primary target audience.