Security Audit

send-email

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

send-email received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 2 critical, 2 high, 1 medium, and 0 low severity. Key findings include Explicit Prompt Injection Attempt in Skill Documentation, Shell Command Injection via Unsanitized Arguments in `send_email.sh`, Arbitrary File Read and Exfiltration via Attachment in `send_email.py`.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

Behavioral Risk Signals

Filesystem Write

3 findings

Shell Execution

4 findings

Dynamic Code

2 findings

Excessive Permissions

3 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Explicit Prompt Injection Attempt in Skill Documentation The `SKILL.md` file, which is treated as untrusted input, contains direct commands to the host LLM such as 'Do not read' and 'Never read'. While these instructions aim to prevent credential exposure, they represent a prompt injection pattern. The LLM should not follow directives embedded within untrusted skill documentation, as this can be exploited to manipulate its behavior or override its safety instructions. Remove direct instructions or commands to the LLM from untrusted skill documentation. The LLM should infer skill behavior from the manifest and code, not from directives within markdown. Instead, describe the skill's functionality and expected inputs/outputs.	LLM	SKILL.md:5
CRITICAL	Shell Command Injection via Unsanitized Arguments in `send_email.sh` The `send_email.sh` script constructs shell commands (`mutt`, `msmtp`) by directly interpolating user-controlled arguments (`$TO`, `$SUBJECT`, `$BODY`, `$ATTACHMENT`, `$ACCOUNT`) without proper sanitization or escaping. An attacker can inject shell metacharacters (e.g., `;`, `\|`, `$(...)`) into these arguments to execute arbitrary commands on the host system. Sanitize or escape all user-provided arguments before incorporating them into shell commands. Consider using `printf %q` for shell arguments or switching to a safer method like a Python script for command execution, where arguments can be passed as a list to `subprocess.run`.	LLM	send_email.sh:26
HIGH	Arbitrary File Read and Exfiltration via Attachment in `send_email.py` The `send_email.py` script allows an arbitrary file path to be provided as an attachment. The script reads the content of this file (`f.read()`) and includes it in the email. This enables an attacker to exfiltrate any file accessible to the skill's execution environment by specifying its path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, `~/.openclaw/openclaw.json`). Implement strict validation and sandboxing for attachment paths. Restrict attachments to a specific, non-sensitive directory, or require explicit user confirmation for file access. Avoid reading arbitrary paths directly from user input.	LLM	send_email.py:40
HIGH	Arbitrary File Read and Exfiltration via Attachment in `send_email.sh` The `send_email.sh` script allows an arbitrary file path to be provided as an attachment (`$ATTACHMENT`). If `mutt` is installed, it will attach the specified file to the email. This enables an attacker to exfiltrate any file accessible to the skill's execution environment by specifying its path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, `~/.openclaw/openclaw.json`). Implement strict validation and sandboxing for attachment paths. Restrict attachments to a specific, non-sensitive directory, or require explicit user confirmation for file access. Avoid using external tools like `mutt` for file attachments if they lack proper input validation.	LLM	send_email.sh:26
MEDIUM	Access to Potentially Sensitive `~/.msmtprc` Configuration in `send_email.sh` The `send_email.sh` script, particularly when `mutt` is used with a non-default account, explicitly references `~/.msmtprc` (`-F ~/.msmtprc`). Even when `msmtp` is used directly, it relies on its default configuration which typically involves `~/.msmtprc`. This contradicts the `SKILL.md`'s instruction 'Do not use ~/.msmtprc'. If `~/.msmtprc` contains sensitive information (e.g., passwords, server details), its use by the skill could lead to credential harvesting or data exfiltration, especially if an attacker can control the `ACCOUNT` parameter. Remove reliance on `mutt` and `msmtp` for sending emails, especially if they access user-specific configuration files like `~/.msmtprc`. The Python script already handles email sending using environment variables, which is a more secure approach for agent skills. If `msmtp` must be used, ensure its configuration is strictly controlled and does not expose sensitive data, or use a dedicated, sandboxed configuration file.	LLM	send_email.sh:26

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/30da659dd1b5958d.svg)](https://skillshield.io/report/30da659dd1b5958d)