Recruit Email Monitor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its stated email-monitoring purpose, but it contains hardcoded mailbox credentials and sends briefings to a fixed Feishu user, so it should be reviewed before use.
Do not install or run this skill as-is. First remove the embedded mailbox credentials, rotate any exposed auth codes, replace the hardcoded Feishu recipient with your own target, update the fixed /home/erhao paths, and review the cron jobs before enabling automatic monitoring.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill could access mailboxes tied to hardcoded credentials, and the published artifact itself exposes sensitive account secrets.
The script includes concrete email usernames and auth-code-like passwords in source instead of requiring user-provided credentials through a scoped secret mechanism.
EMAIL_ACCOUNTS = [ ... 'user': '2623...[redacted]@qq.com', 'password': 'bxfw...[redacted]' ... 'user': 'haoxian_niu@163.com', 'password': 'XSty...[redacted]' ... ]
Do not run this as-is. Remove and rotate the embedded mailbox auth codes, require users to provide their own credentials through secure configuration, and declare the credential requirement in metadata.
Recruitment email summaries, including subjects, senders, status, and links from the spreadsheet, could be sent to someone other than the installing user.
The daily briefing is sent via the OpenClaw Feishu messaging command to a fixed user ID described as the owner's Feishu target, not a user-provided recipient.
# 发送到主人的 Feishu ... '--channel', 'feishu', '--target', 'user:ou_8de02604...[redacted]', '--message', briefing.strip()
Replace the hardcoded Feishu target with an explicit user-controlled setting, require confirmation before first send, and document exactly what email data is transmitted.
Email subjects, senders, links, and processing history may remain on disk and may be exposed if the shared directory is synced or accessible to others.
The skill persistently stores recruitment email records and processed-message IDs in fixed local paths.
EXCEL_PATH = '/home/erhao/shared/招聘邮件汇总.xlsx' ... PROCESSED_FILE = '/home/erhao/.openclaw/scripts/processed_emails.json'
Use a user-selected storage path, document retention behavior, and avoid storing more email content than necessary.
After cron import, the skill can keep checking email and sending notifications without further manual action.
The provided cron file enables recurring hourly mailbox checks and a daily briefing job when imported.
"enabled": true ... "expr": "0 * * * *" ... "text": "python3 scripts/email-heartbeat-check.py"
Import the cron jobs only after credentials, paths, and Feishu target are corrected, and verify how to disable or remove the jobs.