ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

163 Email Monitor

Connect to 163/126/yeah.net (Coremail) email via IMAP, read inbox, search emails, and send emails via SMTP. Activate when user asks to check email, read mail...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 49 · 0 current installs · 0 all-time installs
byEmory Sermon@hanyuhh
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md implement an IMAP/SMTP client tailored to Coremail (adds the required ID command) which matches the skill name and description. However the registry metadata lists no required credentials or primary credential, while the runtime instructions require a local .env file containing email address and authorization code — a mismatch between declared requirements and actual needs.
Instruction Scope
SKILL.md and the script limit operations to connecting to IMAP/SMTP, reading/searching mailbox and sending mail. The script reads a local config file (~/.openclaw/email-monitor/.env) for credentials and may print message previews or JSON to stdout. There are no instructions to access unrelated system files or external endpoints beyond IMAP/SMTP, and no evidence of data exfiltration in the provided code.
Install Mechanism
No install spec — instruction-only plus a Python script. Nothing in the manifest downloads or executes remote installers; risk from install mechanism is low.
Credentials
The skill requires the user's email address and an authorization code (授权码) to function, which is proportionate to its purpose. But those secrets are expected in a local .env file rather than in declared required env vars/primary credential, and the registry metadata does not advertise this requirement — the omission reduces transparency about what sensitive data the skill needs.
Persistence & Privilege
The skill is not always-enabled and has no install-time persistence or system-wide config changes. Autonomous invocation is allowed (platform default), but that alone is not a red flag here.
What to consider before installing
This skill appears to implement a legitimate IMAP/SMTP client for 163/126/yeah.net, but it requires your email address and an authorization code stored in a local file (~/.openclaw/email-monitor/.env) even though the registry metadata doesn't declare any required credentials. Before installing or running it: (1) Review the full scripts/mail_client.py file yourself (or have someone you trust audit it) to confirm there are no hidden network calls or logging of credentials. (2) Store the authorization code in a file with strict permissions (chmod 600) or consider using an isolated environment/container. (3) Prefer using the provider's per-app authorization code (as instructed) rather than your main account password; revoke that authorization code in your account settings if you stop using the skill. (4) Be aware the script can send emails (so it could send messages on your behalf if run); only run it from trusted machines. (5) If you want better transparency, ask the publisher to add required-credential metadata (primary credential) and to document how credentials are stored and protected. If you cannot audit the code, treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
163vk978nzxkzh517v3w2dce96pmk183fgafcoremailvk978nzxkzh517v3w2dce96pmk183fgafemailvk978nzxkzh517v3w2dce96pmk183fgafimapvk978nzxkzh517v3w2dce96pmk183fgaflatestvk978nzxkzh517v3w2dce96pmk183fgafmonitorvk978nzxkzh517v3w2dce96pmk183fgafsmtpvk978nzxkzh517v3w2dce96pmk183fgaf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

163 Email Monitor

Key Insight: Coremail ID Command

163/126/yeah.net use Coremail which requires an IMAP ID command before any mailbox operation, otherwise returns "Unsafe Login" even with valid credentials.

Setup

Prerequisites

Credentials in ~/.openclaw/email-monitor/.env:

IMAP_SERVER=imap.163.com
IMAP_PORT=993
SMTP_SERVER=smtp.163.com
SMTP_PORT=465
EMAIL_ADDRESS=your@163.com
EMAIL_PASSWORD=your_auth_code

The EMAIL_PASSWORD is the 授权码 (authorization code), not the login password. Users obtain it from: 163 Mail → Settings → POP3/SMTP/IMAP → Enable IMAP → Get authorization code.

Server Reference

ProviderIMAP ServerSMTP Server
163.comimap.163.com:993smtp.163.com:465
126.comimap.126.com:993smtp.126.com:465
yeah.netimap.yeah.net:993smtp.yeah.net:465

Usage

All operations use scripts/mail_client.py:

# Read unread emails
python3 scripts/mail_client.py read --unread

# Read latest N emails
python3 scripts/mail_client.py read --latest 10

# Search emails by keyword
python3 scripts/mail_client.py search "amazon"

# Search by sender
python3 scripts/mail_client.py search --from "no-reply@amazon.com"

# Search by date range
python3 scripts/mail_client.py search --since 2026-03-01 --before 2026-03-23

# Send email
python3 scripts/mail_client.py send --to recipient@example.com --subject "Hello" --body "Content here"

# Send with attachment
python3 scripts/mail_client.py send --to recipient@example.com --subject "Report" --body "See attached" --attach /path/to/file.pdf

Pass --env /path/to/.env to override default config location.

Troubleshooting

ErrorCauseFix
Unsafe LoginMissing ID commandUse this skill's script (handles automatically)
AUTHENTICATIONFAILEDWrong auth codeRegenerate 授权码 in 163 web settings
LOGIN failedIMAP not enabledEnable IMAP in 163 Mail → Settings

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…