alimail
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to do the advertised AliMail employee lookup, but it requires enterprise OAuth credentials and returns internal directory information.
Before installing, confirm that the AliMail client credentials are scoped only for employee lookup and that the workspace is allowed to query internal employee email and employee-number data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone able to invoke the skill with these credentials may query employee directory records such as email addresses and employee numbers.
The skill uses AliMail OAuth client credentials to obtain an access token for directory lookup. This is disclosed and purpose-aligned, but it is still delegated enterprise account authority.
"client_id": self.cid, "client_secret": self.secret
Provide credentials with the minimum AliMail permissions needed for user search, and install the skill only in workspaces where employee directory lookup is intended.
Users could cause broader-than-intended employee lookups if they provide non-name search text.
The user-provided name is placed directly into the AliMail filter query. The request is read-only and limited to 10 results, but unusual input could broaden or alter the directory search.
params = {"filter": f"(name=*{name})", "size": 10}Use the skill for specific employee-name lookups; consider adding input validation or escaping for AliMail filter syntax.