139mail(非官方)
v1.0.4139邮箱IMAP/POP3操作技能。支持通过IMAP/POP3协议查看收件箱/未读邮件、发送邮件、搜索邮件、管理邮件、邮件分拣。首次使用需配置账号和授权码。当用户需要操作139邮箱(mail.10086.cn)时触发此技能。
⭐ 0· 494·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, scripts, and docs are coherent: the scripts implement IMAP/SMTP operations (view/search/send/manage/move) and require the mailbox username and an authorization code. No unrelated environment variables, binaries, or external services are requested.
Instruction Scope
Runtime instructions legitimately ask the user to provide their 139邮箱 account and authorization code and to run the included scripts. The skill prompts the agent/user for credentials and instructs saving them to a local JSON config file. It also recommends and uses SSL compatibility measures (unverified SSL context and reduced security level) and suggests setting PYTHONHTTPSVERIFY=0 for debugging — these weaken TLS certificate validation and are explicit risks called out in the docs.
Install Mechanism
No install spec in registry; user is instructed to pip install imapclient (a known Python package). No downloads from arbitrary URLs or archive extraction are present.
Credentials
The only sensitive data required is the mailbox username and authorization code, which is appropriate for an email client. Credentials are stored in a local JSON config file (config/139mail.conf) in plaintext; the code attempts to chmod the file to 0o600 but this is best-effort and may not be effective on Windows. No other credentials or unrelated environment variables are requested.
Persistence & Privilege
Skill does not request always:true or other elevated platform privileges. It creates/reads its own config file under the skill's config directory and does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says (manage a 139 mailbox via IMAP/SMTP), but you should consider the following before installing or using it:
- It requires your 139 mailbox address and the 16‑character authorization code; the agent may ask you to paste these in chat if you follow the provided prompt. Prefer entering credentials locally (running the provided config_manager.py) instead of typing them into an open chat whenever possible.
- Credentials are stored in a plaintext JSON file (config/139mail.conf). The script tries to chmod the file to 600, but that may not be enforced on Windows. If you care about secrecy, store credentials in a secure credential store or limit filesystem access to that file.
- The code disables normal certificate verification (ssl._create_unverified_context()) and lowers OpenSSL security level to connect to an old TLS server. This is acknowledged in the docs but reduces transport security and makes man‑in‑the‑middle attacks easier. Only use this on trusted networks, and avoid running it on untrusted/public Wi‑Fi.
- If you only need short‑term access, consider creating an authorization code and revoking it after use. Review and run the scripts in an isolated environment (e.g., a VM or dedicated container) if you are unsure.
If you want stronger guarantees, ask the author to implement certified TLS verification fallback, encrypt the config on disk or integrate with OS credential stores, and avoid recommending PYTHONHTTPSVERIFY=0.Like a lobster shell, security has layers — review code before you run it.
latestvk970wtaayfaxpqb6n7ypvat9m182aaza
License
MIT-0
Free to use, modify, and redistribute. No attribution required.