Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
139mail
v1.0.0139邮箱邮件收发 Skill - 支持 IMAP/SMTP 协议,兼容139/QQ/163/Gmail等主流邮箱 功能: 1. 发送邮件(SMTP) 2. 接收邮件(IMAP) 3. 查看收件箱列表 4. 查看未读邮件 当用户提到 "发邮件"、"收邮件"、"查看邮件"、"邮箱" 或 "email" 时激活此 s...
⭐ 1· 370·2 current·2 all-time
byZhang Dong@chang-tong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the code and package.json: the skill implements send/list/read via SMTP/IMAP and depends on nodemailer/imap/mailparser — all expected for an email client.
Instruction Scope
SKILL.md instructs storing credentials in a local config and describes usage; the runtime script reads a local JSON config and may print connection info during a 'test'. Minor inconsistency: SKILL.md suggests ~/.openclaw/skills/139mail/config/email.json while the script reads ../config/email.json relative to the package root. Also the script will read files passed as attachments (expected) and will output some config values during 'test'.
Install Mechanism
This is an instruction+code skill with typical npm dependencies listed in package.json and package-lock.json; there is no remote arbitrary download, no URL shorteners, and dependencies are standard email-related packages.
Credentials
No environment variables or external credentials are requested; credentials are expected in a local config file (email/password). This is proportional for an email client, but storing plaintext credentials in a file is sensitive and should be handled carefully.
Persistence & Privilege
always is false and the skill does not request system-wide settings or modify other skills. It only reads its own config and files specified for attachments.
Assessment
This skill appears to be what it claims: an IMAP/SMTP email client implemented in Node.js. Before installing: (1) confirm where the config file lives (SKILL.md path and script path differ) and place your credentials in the correct location; (2) prefer using provider 'authorization codes' or app-specific passwords (not your main account password); (3) restrict file permissions on the config (chmod 600) and avoid committing it to git; (4) be aware the script sets tlsOptions.rejectUnauthorized = false for IMAP connections (this weakens certificate validation and could allow MITM attacks) — consider modifying the code to enable proper TLS verification for your mail servers; (5) review or sandbox the skill if you are concerned about exposing attachments or credentials, and consider using an OS secret manager rather than a plaintext file.Like a lobster shell, security has layers — review code before you run it.
latestvk97830w2bkg86rskt7nbzazvqd82c57k
License
MIT-0
Free to use, modify, and redistribute. No attribution required.