Trust Assessment
aliyun-mail received a trust score of 62/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 0 high, 0 medium, and 1 low severity. Key findings include Node lockfile missing, Arbitrary file read for email body and attachments, Arbitrary SMTP configuration file path allows credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary file read for email body and attachments The skill allows users to specify arbitrary file paths for email bodies (`--body-file`) and attachments (`--attachments`). The content of these files is then read and included in an email sent to a user-controlled recipient. This enables an attacker to exfiltrate sensitive files (e.g., `/etc/passwd`, `/root/.ssh/id_rsa`, application configuration files) from the system where the skill is executed. Implement strict validation and sanitization of file paths. Only allow reading from explicitly permitted directories or use a file picker/upload mechanism. If arbitrary file paths are necessary, ensure the skill runs with minimal permissions and that the LLM's execution environment is isolated. For `--body-file`, consider if the content needs to be read from a file or if the body should always be provided directly. For attachments, restrict paths to a designated upload directory or temporary storage. | LLM | email_sender.py:107 | |
| CRITICAL | Arbitrary SMTP configuration file path allows credential harvesting The skill accepts a `--config-path` argument, allowing a user to specify an arbitrary file path for the SMTP configuration. An attacker could provide a path to a malicious JSON file containing an attacker-controlled SMTP server address. When the skill attempts to log in using the legitimate username and password from the original configuration, it would send these credentials to the attacker's server, leading to credential harvesting. This also grants excessive control over the skill's sensitive configuration. Remove the `--config-path` argument. The skill should always load its configuration from a fixed, secure, and predefined location (e.g., `~/.openclaw/smtp-config.json`) that is not user-modifiable via command-line arguments. If configuration flexibility is required, consider environment variables or a secure, sandboxed configuration management system. | LLM | email_sender.py:248 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/jixsonwang/aliyun-mail/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/2608e3577b19ef29)
Powered by SkillShield