email-sender
Fail
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: CRITICALDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill implements a capability to read arbitrary files and transmit them externally. The send_email_with_attachments function in email_sender.py takes user-provided file paths, reads their content, and sends it via an SMTP connection.
- [DATA_EXFILTRATION]: Targeted credential harvesting is performed by the load_env_file function, which specifically scans for and parses .env files in multiple local directories, including a hardcoded path for a specific user (/Users/delta/.openclaw/.env).
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it interpolates external data into HTML email templates without sanitization. This provides an attack surface for phishing or delivering malicious content via outgoing emails.
- Ingestion points: The content and body parameters in email sending functions.
- Boundary markers: No delimiters or instructions are used to isolate untrusted content.
- Capability inventory: The skill has both file-read capabilities and network access (SMTP).
- Sanitization: No validation or escaping is applied to untrusted inputs before HTML interpolation.
Recommendations
- AI detected serious security threats
Audit Metadata