Security checks across malware telemetry and agentic risk
The skill has a legitimate spam-cleanup purpose, but it bundles and uses mailbox credentials and can change an enterprise mailbox by default.
Review before installing. Remove the bundled secrets.json, rotate the exposed mailbox password, use a secure secret store or tightly permissioned local file, require HTTPS before login, prefer dry_run=true until rules are validated, and use a dedicated browser profile so mailbox sessions are contained.
--- ## Required files ### 1) secrets.json (required) Path: `~/.openclaw/workspace/skills/ztpc-spam-sweep/secrets.json`
## Procedure (browser automation) ### Step 0: Setup - Read `secrets.json`. - Load allowlist/blocklist if present. ### Step 1: Open and login
- If the UI shows mailbox main layout (folders like 收件箱/未读邮件/垃圾邮件 etc) => logged in.
- Else, if login iframe/panel is visible => proceed to login.
4. Login (if needed):
- Fill username + password from `secrets.json`.
- Click 登录.
- If login fails with “用户名或密码错误” => STOP and report:
`状态:登录失败(账号或密码错误)`64/64 vendors flagged this skill as clean.