Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
独立开发者客服邮件系统
v1.0.12客服邮件智能分流。CLI 关键词预筛自动回复常见问题,复杂邮件转发 AI 处理邮箱或主邮箱,节省约 62% token 成本。Use when: (1) setting up automated support email triage for a SaaS product, (2) auto-replying...
⭐ 0· 137·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (support email triage) match required pieces: mail-cli binary, Node.js script, cron/OpenClaw schedule. The npm install of @clawemail/mail-cli and the router.js script are proportional to the stated purpose.
Instruction Scope
SKILL.md and router.js keep to routing, classification, auto-reply and forwarding. The instructions also advise creating mail-cli profiles, scheduling the script as a recurring agent task, and explicitly warn not to run certain installcommands. The script invokes shell commands (execSync → mail-cli) and reads/writes local files; this is expected but gives the skill the ability to run mail-cli operations and manipulate local files — verify you trust the mail-cli package and the script before enabling automated scheduling.
Install Mechanism
Installation uses a named npm package (@clawemail/mail-cli) to provide the mail-cli binary. This is a standard registry install; moderate risk (npm package) but appropriate for the functionality.
Credentials
The skill declares no required env vars, but router.js reads mail-cli configuration files (e.g., ~/.config/mail-cli/config.json or APPDATA), and runs mail-cli commands which will use stored API keys/profiles. This is coherent with mail access but means the skill will access local mail-cli credentials/config — confirm those profiles are intentionally created and contain only the permissions you expect.
Persistence & Privilege
The skill is not forced-always and does not request system-wide persistent privileges. It expects you to register a scheduled task (cron/OpenClaw schedule) to run the script periodically; scheduling an agent task is a normal operational step for this use case.
Assessment
This skill appears to do what it says: run a Node script that uses the mail-cli tool to classify and forward support emails. Before installing or scheduling it:
- Review the router.js source (present) and the npm mail-cli package to ensure you trust them.
- Understand that the script will read your mail-cli config (~/.config/mail-cli/config.json or %APPDATA%) and thereby gain access to any API keys/profiles stored there — only create mail-cli profiles you trust and limit their permissions.
- Use the provided --test-classify and --dry-run modes to validate behavior before enabling scheduled runs, and ensure mainEmail points to a human account (not an agent mailbox) to avoid loops.
- Do not execute any returned 'installcommand' unless you understand it; the SKILL.md warns this can restart the agent and cause duplicate processing if misused.
- Consider filesystem permissions for the dataDir (~/.local/share/support-router) and validate the maxRepliesPerAddr limits to avoid accidental mass replies. If you need higher assurance, run the script in an isolated test workspace and audit network access from the mail-cli binary.scripts/router.js:105
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk971qnjk9ya928m5d83z1byab184p54w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎧 Clawdis
Binsmail-cli
Install
Install mail-cli
Bins: mail-cli
npm i -g @clawemail/mail-cli