mail-imap-sync
v1.0.3高性能IMAP邮件同步工具,支持多账号增量同步,按时间结构本地存储Markdown邮件,适合AI分析和邮件知识库构建。
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (IMAP sync -> local markdown store) align with code: main.py uses imaplib to log into IMAP servers, fetch messages, parse them and write Markdown files in an emails/ tree. The included config.json, state.json and SKILL.md describe and match this behavior.
Instruction Scope
SKILL.md and run.sh tell the agent to run run.sh which installs two PyPI packages and runs main.py. The runtime reads config.json and state.json and writes files under emails/ and state.json. There are no instructions to read unrelated system files or send data to external endpoints beyond the IMAP servers. Important: credentials are provided in config.json (plaintext) according to the doc, so sensitive data is kept in a local file rather than a secret store.
Install Mechanism
No formal install spec in registry, but run.sh executes 'pip install python-dateutil html2text' at runtime. Installing packages from PyPI is normal for Python scripts but will modify the runtime environment — consider running in a virtualenv/container and inspect the packages before installation.
Credentials
The skill does not request environment variables or platform credentials, but it relies on config.json containing account credentials (pass field). Storing IMAP passwords in plaintext in config.json is sensitive and not explicitly addressed in SKILL.md. There is no integration with secret storage or an option to supply credentials via environment variables.
Persistence & Privilege
Flags show normal privileges (always:false). The skill does not request permanent platform injection, does not modify other skills, and only writes its own state.json and emails/ files.
Assessment
This skill appears to do what it claims (download IMAP mail and save as Markdown), but take these precautions before installing or running it:
- Inspect and edit config.json: the example uses a 'pass' field stored in plaintext. Replace with an application-specific password and remove credentials from bundled files before use. Prefer supplying credentials via a secure mechanism (environment variables, OS keyring, or a secrets manager) rather than committing them to disk.
- Run in an isolated environment (virtualenv, container, or VM) because run.sh will pip-install packages into the environment.
- Review the included code (main.py) yourself — it handles IMAP login and file writes, and there's no remote exfiltration, but you should confirm it meets your policies.
- Backup or sandbox: running against an important account is risky until you validate behavior; test with a disposable account first.
- Note the small inconsistencies: run.sh suppresses pip output which can hide install problems, and the code declares a LOCAL_TZ of Asia/Taipei while normalize_email_date uses Asia/Shanghai — verify timezone handling if that matters.
If you need help converting credential handling to environment variables or a safer secret store, or want a quick checklist to sandbox the skill, I can provide one.Like a lobster shell, security has layers — review code before you run it.
latestvk97adbtshpqzm15mgxefdcvr7184rq4b
License
MIT-0
Free to use, modify, and redistribute. No attribution required.