email-quote-automation
AdvisoryAudited by Static analysis on May 7, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Private or unrelated unread emails could be archived, translated, and marked as read, making the user miss messages or expose content outside the intended workflow.
The code searches every unread message in INBOX and then marks processed messages as read, with no artifact-backed filtering to only customer inquiry emails.
status, messages = conn.search(None, 'UNSEEN') ... conn.store(msg_uid.encode(), '+FLAGS', '\\Seen')
Use a dedicated inquiry mailbox or folder, add sender/subject filtering, and require review before marking messages as read.
If configured with a primary mailbox, the skill can access business or personal email content and change read status for that account.
The skill expects mailbox credentials that allow reading and changing mailbox state; this sensitive credential requirement is high-impact and not narrowly constrained in the artifacts.
'username': 'your-email@example.com', 'password': 'your-password-or-app-key', 'use_ssl': True
Use an app-specific password for a dedicated mailbox with the least privileges available, and clearly document the credential requirement in metadata.
Customer emails, including potentially confidential order details, may be sent to a third-party translation service automatically.
Email body text is sent to an external translation provider when translation is enabled; the default config enables the google_free translation engine.
result = self.translator.translate(text, dest=self.target_lang)
Disable automatic translation for sensitive mail, use an approved translation provider, or ask for confirmation before sending email content to an external service.
If left running, the skill will continue processing future unread emails automatically.
The daemon is an optional long-running worker that continuously checks email at the configured interval.
while True: ... check_once() ... time.sleep(interval_seconds)
Run the daemon only for a dedicated mailbox or folder, monitor its logs, and stop it when not needed.
Dependency updates or compromised packages could change behavior in the local environment.
The README asks users to install Python dependencies; two packages allow version drift and googletrans is a release-candidate dependency. This is common for Python tools but still a supply-chain consideration.
pandas>=1.3.0 langdetect>=1.0.9 googletrans==4.0.0-rc1
Install in a virtual environment, pin exact versions with hashes, and review dependencies before use.