QQemail-agent
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims for QQ email, but it asks the agent to collect and persist an email authorization code that grants mailbox read/send access without strong scoping or credential safeguards.
Only install this if you are comfortable granting the skill IMAP/SMTP access to your QQ mailbox. Use a QQ authorization code rather than your main password, keep .env out of shared folders and source control, review every outbound email before sending, and revoke the authorization code when you no longer need the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the authorization code is mishandled, stored in the wrong directory, committed to a project, or reused without the user's awareness, someone or an agent could read mail or send mail as the user.
The skill directs the agent to receive and persist a QQ email authorization code that is then used for both IMAP read access and SMTP send access. This is sensitive delegated account authority and is not declared in the supplied registry credential metadata.
你告诉 agent 邮箱和授权码 ... Agent 执行 ... IMAP_PASS={授权码} ... SMTP_PASS={授权码} ... with open('.env', 'w', encoding='utf-8')Declare the credential requirement clearly, prefer a secret manager or protected config location over plaintext chat-to-.env handling, warn users not to commit .env, and include revocation/cleanup steps.
An accidental or overly autonomous invocation could send sensitive local file contents or unintended messages from the user's email account.
The send script can read a user-supplied local file as the email body and send it through the configured QQ account. This is purpose-aligned, but it is a high-impact operation that should be explicitly user-directed.
parser.add_argument('--file', help='从文件读取正文') ... body = f.read() ... server.sendmail(SMTP_USER, [to_email], msg.as_string())Require explicit user confirmation of recipient, subject, body, and any file path before sending; only use --file for files the user selected for that email.
Private email contents may enter the agent/model context, and malicious email text could try to influence the agent if treated as instructions rather than data.
The script retrieves full email bodies into the returned data structure for later AI processing. This is expected for an email parsing assistant, but mailbox content is private and may also contain untrusted instructions.
emails.append({ 'subject': msg.subject, 'from': msg.from_, 'date': msg.date, 'text': msg.text or msg.html })Filter to the minimum necessary messages, avoid processing secrets, and instruct the agent to treat email bodies as untrusted data that must not override the user's goals.