Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Smart Email
v2.5.2AI智能邮件管理助手,支持 QQ、126、163、Outlook 多邮箱 IMAP 收取,本地归档,AI 智能判断紧急邮件,自动发送到用户指定渠道(Telegram/钉钉/企业微信/飞书等)。
⭐ 0· 86·0 current·0 all-time
bybubu lamb@bu-bu-xxx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill legitimately implements IMAP email retrieval, local archiving, LLM-based analysis, and multi-channel dispatch (Telegram/钉钉/WeCom/飞书). However the registry metadata claims no required environment variables or credentials while the SKILL.md and source code clearly require multiple secrets (email auth codes, OpenAI/Anthropic API keys, and channel credentials). That mismatch is incoherent and potentially dangerous: installing or enabling the skill without knowing which secrets are needed or where they are used is risky.
Instruction Scope
SKILL.md instructs the agent to read USER_GUIDE.md, help the user populate ~/.openclaw/.env, run init and setup-cron --apply, and run test modes. Those steps are within the stated purpose (install/configure the email assistant) but they give the agent active guidance to create/edit .env and to install cron jobs. The guide also directs the agent to run commands that interact with the filesystem (create storage, save .eml, attachments) and to send messages to external channels — all expected for this functionality but privacy-sensitive. The instructions ask the agent to be proactive in modifying user config, which requires caution.
Install Mechanism
No automated install spec is declared (instruction-only), but the package contains full source, pyproject.toml, and requirements.txt. Installation requires manual steps (git clone, pip install -r requirements.txt) described in README/INSTALL. The absence of a declared automated install + presence of executable code means the platform or user will need to run code and install dependencies manually — verify package origin before doing so.
Credentials
The skill requires sensitive credentials: email account auth codes (QQ/126/163/Outlook), LLM API keys (SMART_EMAIL_OPENAI_API_KEY, SMART_EMAIL_ANTHROPIC_API_KEY or equivalent), and channel delivery credentials (Telegram/DingTalk/WeCom/Feishu). The registry incorrectly lists 'none' for required env vars/primary credential. Additionally, SKILL.md/code references some env vars (e.g. SMART_EMAIL_OPENAI_API_URL, SMART_EMAIL_OPENAI_MODEL, SMART_EMAIL_DELIVERY_TARGET) but does not declare channel bot tokens or other channel-specific secrets — likely missing from registry metadata. Sending email contents (including inline images encoded as base64) to third‑party LLM APIs is part of normal operation but is high‑sensitivity data flow and should be explicitly acknowledged by the user.
Persistence & Privilege
always:false (normal). The skill's workflow includes creating scheduled jobs (setup-cron --apply) that will make the skill run periodically (check/digest/dispatch). That behavior is consistent with an email assistant but means the code will operate autonomously once configured and will access local storage (~/.openclaw/workspace/smart-email-data/). Combine this with the missing credential declarations and you have a larger blast radius if misconfigured — exercise caution before enabling cron.
What to consider before installing
Key things to check before installing or enabling this skill:
1) Secrets and env vars: The registry lists no required env vars, but SKILL.md and code require email auth codes and LLM API keys (OpenAI/Anthropic) and likely channel tokens for Telegram/钉钉/飞书/企业微信. Do NOT paste secrets into .env until you review where they are used. Confirm which channel credentials (bot token, webhook, app secret) the dispatch code expects.
2) Review dispatch code: Inspect dispatcher/dispatch-related files to see what external endpoints are used and how credentials are sent. Ensure channel integrations do not leak full email bodies or attachments to unintended endpoints.
3) Privacy of LLM calls: The analyzer code encodes inline images to base64 and sends email text/images to external LLM providers. If you use a third‑party API key, you are sending email content to that vendor. If that is unacceptable, consider using a local/provider you control (subagent) or disable multimodal analysis.
4) Test mode first: Use the provided test-check/test-digest/test-dispatch modes (they claim not to send messages and to use tmp/ paths). Run tests and inspect tmp/outbox/pending to confirm behavior before enabling cron or adding real credentials.
5) Cron and system changes: setup-cron --apply will create recurring jobs. Only run it after you confirm the script behavior and are comfortable with scheduled runs that can access archived emails and credentials.
6) Source provenance: The package contains full source and points to multiple repository URLs in docs; verify the repository origin and check integrity (git remote, commit history) before installing. Avoid blindly running automatic install prompts that fetch code from unknown URLs.
7) Least privilege: Create and supply API keys with the minimal scope possible. If possible, use per-skill accounts/bots (a dedicated Telegram bot, dedicated mailbox or delegated auth) rather than your primary account credentials.
If you want, I can: (A) list the exact environment variables and config keys referenced in the code, (B) point out where dispatchers expect channel credentials in the source, or (C) extract the functions that send data externally so you can review them more easily.Like a lobster shell, security has layers — review code before you run it.
latestvk9774ghb7y7aj724gzzfscqg4h840x4c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.