ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qq Email

v1.0.0

Send and receive emails via QQ Mail SMTP/IMAP. Use when: user wants to send/receive emails, check inbox, read messages, or share documents via email. Require...

1· 410·3 current·4 all-time
by@chao-nj-cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the included Python tool implements SMTP/IMAP access to smtp.qq.com/imap.qq.com and the SKILL.md explains configuring a QQ auth code. Required binary (python3) is appropriate and proportional.
Instruction Scope
Runtime instructions only invoke the local qq_email.py and point to ~/.openclaw/workspace/TOOLS.md for configuration. The script reads TOOLS.md or environment variables, accesses attachments provided by the user, and connects to QQ's mail servers — all consistent with the stated email-sending/receiving purpose.
Install Mechanism
No install spec (instruction-only) and a bundled Python script are present. Nothing is downloaded from external or untrusted URLs; no archives are extracted. Risk from install mechanism is low.
Credentials
The skill does not request unrelated credentials. It needs the QQ email address and 16-char authorization code (either via env vars or TOOLS.md) which are necessary to access QQ SMTP/IMAP. No additional secrets or unrelated environment variables are required.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. It reads its own config (TOOLS.md) and user-specified attachment paths but does not modify other skills or system-wide settings.
Assessment
This skill appears to do exactly what it claims: send and receive QQ Mail using a local Python script. Before installing, be aware that you must provide your QQ email address and the 16-character QQ authorization code — either via environment variables or by placing them in ~/.openclaw/workspace/TOOLS.md. Storing auth codes in plaintext files can expose them if that file is backed up or committed; using environment variables is safer. Review the included qq_email.py if you want to confirm no unexpected network endpoints are contacted (it appears to connect only to smtp.qq.com and imap.qq.com). Do not share your auth code or commit TOOLS.md to a public repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97862wa3hqvptwtjenjvxwk81825wmr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis
Binspython3

Comments