ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WeCom邮箱

企业微信邮箱操作 - 使用专用邮箱发送邮件。 支持读取会议纪要、业务文档等作为邮件内容发送。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 118 · 1 current installs · 1 all-time installs
by@chongjie-ran
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description say 'send corporate WeCom email' and the instructions show SMTP code to do exactly that, so the capability matches the purpose. However, the skill metadata declares no required credentials or config paths while the runtime instructions explicitly reference credential files (e.g., ~/.openclaw/workspace/memory/sc-email-credentials.enc and email-credentials.enc). The absence of declared credentials/config paths in metadata is an incoherence that prevents a clear security review and least-privilege enforcement.
!
Instruction Scope
The SKILL.md tells the agent to read local files (meeting notes and specific encrypted credential files) and to decode credentials (base64 -d example). That means the skill will read and transmit local content and secrets to an external SMTP server. It also references a separate 'personal email' credentials file path, which is outside the explicit '専用邮箱' concept and could enable access to unrelated credentials. While reading meeting notes is reasonable for sending them, instructions do not constrain which files are allowed and rely on agent discretion — this grants broad scope to access local files and secrets.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. There is no download or package installation described.
!
Credentials
No environment variables or primary credential are declared in the metadata, yet the instructions require an SMTP account and reference multiple credential file paths and decoding steps. Requesting access to credential files (including a personal credentials path) without declaring them is disproportionate and opaque; the skill should explicitly declare which credential/config path it needs and why.
Persistence & Privilege
The skill does not request always: true, does not modify other skills, and is user-invocable only by default. It does instruct reading/writing within the agent workspace (~/.openclaw/workspace) but stays within its own workspace paths rather than system-wide configuration. Still, the ability to read credentials in that workspace is sensitive and should be declared.
What to consider before installing
This skill performs the advertised task (send corporate email) but the SKILL.md tells the agent to read and decode local credential files while the metadata lists no required credentials — that's a mismatch you should not ignore. Before installing or enabling: 1) Ask the publisher which exact credential/config path(s) the skill will access and require that to be declared in metadata. 2) Ensure the SMTP account is a dedicated, restricted mailbox (not your primary personal account). 3) Require the skill to prompt for explicit user consent every time before reading any local file or sending an email. 4) Prefer short-lived or minimum-permission credentials (or an API-based integration) instead of storing reusable secrets in plaintext/base64. 5) If the skill is from an unknown source, test in a sandboxed environment and verify the credential files referenced exist and contain only the intended mailbox credentials. If the author cannot clearly justify the credential paths and access controls, treat the skill as unsafe to enable.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9733grttz81h2kkb0xpn9fzzx83dp7e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis

SKILL.md

📧 WeCom Email - 企业微信邮箱

使用专用邮箱发送工作邮件。

快速开始

1. 配置 SMTP

配置项
SMTP服务器smtp.exmail.qq.com
SMTP端口465 (SSL)
邮箱账号YOUR_EMAIL@YOUR_DOMAIN.COM
凭证文件~/.openclaw/workspace/memory/sc-email-credentials.enc

2. 发送邮件

import smtplib
from email.mime.text import MIMEText
from email.mime.multipart import MIMEMultipart

SMTP_SERVER = "smtp.exmail.qq.com"
SMTP_USER = "YOUR_EMAIL@YOUR_DOMAIN.COM"
SMTP_PASSWORD = "YOUR_PASSWORD"

msg = MIMEMultipart()
msg['From'] = SMTP_USER
msg['To'] = "recipient@example.com"
msg['Subject'] = "邮件主题"
msg.attach(MIMEText("邮件内容", 'plain', 'utf-8'))

server = smtplib.SMTP_SSL('smtp.exmail.qq.com', 465)
server.login(SMTP_USER, SMTP_PASSWORD)
server.sendmail(SMTP_USER, ["recipient@example.com"], msg.as_string())
server.quit()

安全规则

发送条件

  • ✅ 需要用户明确指令才能发送
  • ✅ 只能发送工作相关内容
  • ✅ 使用专用邮箱账号

禁止发送

  • ❌ 密码、token、密钥等鉴权信息
  • ❌ 个人隐私信息
  • ❌ 非工作相关内容

账号权限

  • 专用邮箱: 仅授权用户可用
  • SC代发邮箱: 需用户明确授权

使用示例

发送会议纪要

# 读取会议纪要文件
with open("meeting-minutes.md", 'r') as f:
    content = f.read()

# 发送邮件
send_email(
    to=["colleague@example.com"],
    subject="会议纪要 - 日期",
    body=content
)

命令行发送

# 直接使用Python脚本发送
python3 scripts/send-email.py --to "xxx@example.com" --subject "主题" --body "内容"

凭证管理

  • 凭证位置: ~/.openclaw/workspace/memory/sc-email-credentials.enc
  • 编码方式: Base64 或 AES 加密
  • 解码命令示例: base64 -d ~/.openclaw/workspace/memory/sc-email-credentials.enc

相关文件

  • 邮箱列表: ~/.openclaw/workspace/memory/enmo-emails.enc
  • 个人邮箱: ~/.openclaw/workspace/memory/email-credentials.enc (仅授权账号可用)

触发词

当用户提到以下内容时激活此Skill:

  • "发送邮件"
  • "发邮件"
  • "邮件通知"
  • "发送会议纪要"
  • "用邮箱通知"

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…