Is leli1024/lel-mail safe?

check_email.sh constructs an LLM classification prompt by directly f-string interpolating the raw IMAP email subject, From header, and body without any escaping or sandboxing. The resulting prompt is passed verbatim to openclaw agent --message. An attacker who sends a crafted email can control the LLM's output JSON, selecting any action (add_memory, notify_user, to_respond) and supplying an arbitrary payload. Because the prompt explicitly asks for a JSON object, a well-crafted email body can bypass LLM reasoning entirely by supplying a pre-formed JSON response that the script parses with json.loads(stdout).

When the LLM returns action=add_memory, the payload field is passed directly to a second openclaw agent call: 'The following information needs to be logged: {memory_to_add}'. This agent is instructed to write to MEMORY.md files for the targeted user. An attacker can cause the agent to permanently inject false credentials, backdoor instructions, or manipulated context into the agent's persistent memory by sending a single email. The poisoned memory survives agent restarts and affects all future sessions.

The to_respond action triggers the agent to locate the user's active sessions (by scanning memory and USERS.md), contact them directly, and then send an outgoing email via the lel-mail skill. The scenario description and required inputs are entirely attacker-supplied. This creates a social-engineering amplification loop: the attacker seeds the situation via inbound email, the agent independently gathers additional sensitive inputs from the user, then closes the loop by sending an attacker-directed outgoing email.

The to_respond action chain (inbound email → agent contacts user → agent sends outgoing email) provides an attacker with a functional data exfiltration path. A crafted inbound email can instruct the agent to include agent memory contents, environment details, or other sensitive context in the outgoing reply. The agent uses the lel-mail sending infrastructure already authenticated with the user's email credentials, making the exfiltration appear as legitimate user email.

The skill requires storing SMTP and IMAP passwords in cleartext JSON at ~/.config/lel-mail/config.json. The README template explicitly shows the password field populated. Any agent skill, process, or user with filesystem read access can harvest these credentials. Gmail App Passwords, which are recommended, function as full account access tokens.

SKILL.md instructs the agent to install a cron job running email_sender_daemon.sh every 5 minutes. The daemon itself introduces a random 30-90 second delay before each SMTP transmission. This randomization reduces detectability via timing analysis. The cron job persists indefinitely, survives agent restarts, and continues autonomous operation even if the user revokes the skill.

check_email.sh uses subprocess.Popen to spawn openclaw agent processes with prompts derived from inbound email content. The spawned agents inherit the same tool access as the parent and execute with the user's credentials. This escalates a prompt injection vulnerability to full agent tool invocation — any tool available to the user's agent (filesystem, shell, network, browser) becomes accessible to the attacker via a crafted inbound email.

SKILL.md instructs the agent to read USERS.md or equivalent user-reference files to discover which email addresses to monitor. This is not limited to a specific path — the instruction 'or whatever USER reference file your system uses' encourages the agent to locate and read system user metadata beyond the skill's stated purpose. Combined with the notify_user and to_respond handlers, this reconnaissance data directly feeds into attacker-controlled outreach decisions.

email_send.sh assigns CLI arguments to shell variables (SENDER, RECIPIENT, SUBJECT, BODY, CC, BCC) and then embeds them directly into a Python heredoc using ${VAR} expansion. If any argument contains triple-quote sequences, newlines that break the Python string context, or other metacharacters, the embedded Python code can be corrupted or manipulated. An agent invoking this script with user-supplied email content could inadvertently execute attacker-injected Python.

The skill documentation advises users on cloud or VPS environments to use Tailscale to bypass provider-level email sending restrictions. While presented as a usability tip, this recommendation actively encourages circumventing network security controls imposed by infrastructure providers to block outbound SMTP abuse.

Installation consisted solely of git clone with depth=1, sparse-checkout set, git checkout, cp -r, and rm -rf of the temporary clone directory. No post-install hooks, pre-install scripts, setuid binaries, or symlinks pointing outside the skill directory were detected. No network connections attributable to skill code occurred during installation.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) appear in auditd PATH records at two time clusters: t≈1771952706 (before git clone at t≈1771952711 — audit setup baseline) and t≈1771952724 (post-install canary integrity verification by audit system). No PATH or EXECVE events link these accesses to skill scripts. All canary files confirmed intact with no content modifications.