Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
medal-email-quote
v1.0.0General-purpose ecommerce inquiry email automation skill. Periodically fetches customer inquiry emails, detects and translates languages, stores email data l...
⭐ 0· 42·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The code files implement IMAP fetching, language detection/translation, local archiving, and quotation generation as advertised. The libraries and logic are consistent with an ecommerce email-quote automation tool.
Instruction Scope
SKILL.md instructs editing a config file and running scripts/email_check.py; the actual configuration file is config/config.py (path mismatch). The runtime instructions and code only access IMAP, local storage, and translation libraries — they do not attempt to read unrelated system files. However the agent will handle real email content and may send text to third‑party translation services (googletrans) if enabled.
Install Mechanism
No install spec in the registry; this is an instruction/code bundle with a requirements.txt. Dependencies (pandas, langdetect, googletrans) are typical Python packages. No remote arbitrary downloads or extract steps are present in the manifest.
Credentials
The skill requires IMAP credentials (username/password) to operate, but the registry metadata declares no required environment variables or primary credential. Credentials are expected to be placed into config/config.py (plaintext in the project), which is inconsistent and risky. Translation settings also include a 'baidu_secret' placeholder. The absence of a declared credential in metadata may mislead users about what secrets will be needed.
Persistence & Privilege
The skill is not forced-always, does not modify other skills or system-wide settings, and only writes its own local storage directories. Running the optional daemon will periodically poll email per user-configured schedule (normal for this use case).
What to consider before installing
This package mostly does what it says (IMAP fetch → translate → generate quotes), but review these before installing: 1) Credentials: it expects your email username/password in config/config.py (plaintext). Do not put production credentials into repository files — prefer environment variables or a secrets store and update the code to read them securely. 2) Metadata mismatch: the registry lists no required credentials, so the skill may ask you to edit a config file instead of requesting an env var — be prepared to supply an email account (use an app‑specific/password and a dedicated mailbox). 3) Privacy/network: translations using googletrans or other engines will send email text to remote services (Google/Baidu); if customer data is sensitive, disable automatic translation or use a paid/private API with explicit data handling guarantees. 4) Docs/path mismatch: SKILL.md refers to scripts/config.py but the actual path is config/config.py — double-check where to edit. 5) Run in isolation: test with a throwaway email account and sample emails to verify behavior and that no unexpected external endpoints are contacted. If you accept the tradeoffs, consider hardening (move credentials to env vars, limit daemon scope/permissions, and review third-party library behavior).Like a lobster shell, security has layers — review code before you run it.
latestvk978g4t6nx207v4f56wn05qg5d84redr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.