ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

QQ邮箱发票下载器

v1.1.0

自动登录QQ邮箱,按日期搜索发票邮件,下载PDF附件和解压ZIP,过滤非发票,生成分类Excel报告。

0· 58·0 current·0 all-time
by@frankfushmomentlab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md are consistent with the stated purpose (search QQ mailbox, download PDF/ZIP attachments, process and report). However multiple files hard-code a specific QQ email and password and a Windows base directory (e.g., BASE_DIR = r"Z:\OpenClaw\InvoiceOC" and EMAIL/PASSWORD constants). A user would expect to provide their own mailbox credentials and output directory; hardcoding the author's credentials and path is disproportionate and inappropriate.
!
Instruction Scope
SKILL.md documents running invoice_downloader_v82.py and optional MINIMAX_API_KEY use, but it does not tell users to configure mailbox credentials or the BASE_DIR. The runtime files connect to imap.qq.com, log in with the embedded credentials, fetch emails, open arbitrary links in a browser (Playwright), download files, and write to fixed disk locations. The instructions are incomplete/ambiguous and grant broad file- and network-access behavior not described in the manifest.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded by the registry. The code requires runtime dependencies (playwright, imap-tools, requests, pandas) and Playwright will install browsers when used. This is expected for a browser-automation downloader and is not itself a high install risk, but the skill will execute many network and local I/O operations when run.
!
Credentials
The manifest declares no required environment variables, yet the code uses: hard-coded EMAIL/PASSWORD/IMAP_SERVER and hard-coded output directories. SKILL.md mentions MINIMAX_API_KEY for optional LLM fallback but the primary authentication for mailbox access is not configurable via environment variables as the user would expect. There are also files (send_report_telegram.py / send_report.py referenced) that can send results externally but the skill does not declare or document required remote tokens/webhooks — this mismatch increases the risk of unexpected data transmission.
Persistence & Privilege
The skill is user-invocable and not marked always:true. It does not declare changes to other skills or global agent settings. It will run with the invoking agent's privileges and perform network and file operations, which is normal for this functionality. There is no evidence it attempts to persistently modify the agent registry or autostart itself.
Scan Findings in Context
[hardcoded-credentials] unexpected: Multiple source files (browser_processor.py, browser_tool.py, download_12306.py, download_single.py, etc.) define EMAIL = "181957682@qq.com" and PASSWORD = "dcdrfqjmoczrbhdj". A downloader should ask the user for their mailbox credentials or read them from declared env/config; embedding a specific account credential is inappropriate and risky.
[hardcoded-path] unexpected: Files use a hard-coded BASE_DIR/OUTPUT_DIR (e.g., Z:\OpenClaw\InvoiceOC). Expectation: allow setting via environment variable or CLI argument. Hard-coded paths reduce portability and may cause data to be written to unexpected locations.
[playwright-browser-automation] expected: Playwright usage (launching Chromium, navigating pages, clicking download buttons) matches the declared browser-driven download behavior and is expected.
[llm-api-key-env] expected: SKILL.md documents optional MINIMAX_API_KEY for LLM fallback (InvoiceAnalyzerWithLLM). Declaring an env var for an LLM API key is appropriate for that feature.
[external-reporting-scripts] unexpected: send_report_telegram.py and send_report.py are included but SKILL.md and registry metadata do not declare external webhook/tokens or where reports are sent. Inspect these files before running to know whether reports or data are transmitted to third-party endpoints.
What to consider before installing
Do not run this skill as-is. Before installing or executing: 1) Search the code and remove/replace any hard-coded EMAIL and PASSWORD values — never run code that logs into someone else's mailbox. 2) Change BASE_DIR/OUTPUT_DIR to a configurable value (env var or CLI arg) so files are written to a safe location you control. 3) Inspect send_report.py / send_report_telegram.py to see whether and where results are transmitted; if you don't want external uploads, disable or remove those parts. 4) If you must use the skill, provide your own mailbox credentials via a secure mechanism (never embed them in the repo); run in an isolated VM and with a throwaway mailbox for testing. 5) Consider running a local static secrets scan and reviewing network endpoints the code contacts. If you are unsure or cannot confidently audit the code, avoid using it or request a version that accepts credentials and paths via documented, secure configuration.

Like a lobster shell, security has layers — review code before you run it.

latestvk972k7zqf2d1bkm1e9rmfb7ej983nz96

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments