ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

one-mail

v1.3.0

统一邮箱管理 CLI,支持 Gmail、Outlook、网易邮箱(163.com、126.com)。适用于:(1) 收取/发送邮件,(2) 跨账户搜索邮件,(3) 管理多个邮箱账户,(4) 查看邮件统计。当用户提到邮件、邮箱、email、发邮件、收邮件、查邮件时触发。

0· 484·1 current·1 all-time
by@huangbaixun
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill legitimately implements unified email management for Gmail, Outlook and NetEase via the included scripts. However the registry metadata claims no required binaries/env while the code clearly depends on external tools (gog, curl, jq, python3, openssl). That discrepancy is unexpected and should be corrected or explained.
Instruction Scope
SKILL.md and included scripts limit actions to configuring accounts, performing OAuth/IMAP/SMTP flows, fetching/sending mail, and storing credentials under ~/.onemail. Network calls go to expected providers (login.microsoftonline.com, graph.microsoft.com, imap/smtp servers). The setup flow prompts for secrets and stores them locally, which is typical for a CLI mail client.
Install Mechanism
No install spec is declared (low registry install risk). There is an install.sh that creates a symlink to a top-level onemail binary, but the repository manifest provided does not include an onemail entrypoint — install.sh may produce a broken link. No remote downloads or third-party archives are used.
!
Credentials
Registry metadata lists no required env vars or binaries, but the scripts require gog (Gmail), curl, jq, python3 and openssl; they also store OAuth refresh tokens and app-specific passwords in ~/.onemail/credentials.json (chmod 600). The skill requests sensitive secrets interactively (client secrets, refresh tokens, app passwords) — this is expected for an email client but the metadata should declare those dependencies. Credentials are kept locally rather than in a platform-kept secret store unless you opt into macOS Keychain.
Persistence & Privilege
always is false and the skill does not require forced inclusion. It stores config/credentials under ~/.onemail and updates them (e.g., refresh token rotation) which is normal for this type of tool. It does not modify other skills or system-wide configs beyond creating an optional symlink in /usr/local/bin.
What to consider before installing
This repo contains a plausible CLI mail client but has some inconsistencies you should address before installing: (1) The registry metadata claims no required binaries/env but the scripts need gog (for Gmail), curl, jq, python3 and openssl — install those first. (2) setup.sh/accounts.sh will prompt for OAuth client secrets, refresh tokens and app-specific passwords and store them in ~/.onemail/credentials.json (file is chmod 600). If you prefer, use the optional macOS Keychain support or review save_credentials/get_credentials to ensure you are comfortable with local storage. (3) install.sh creates /usr/local/bin/onemail but the manifest shown does not include an onemail entrypoint — verify the onemail launcher exists in the package before running install.sh. (4) The code uses eval when invoking the gog CLI and constructs some HTTP/IMAP arguments by string concatenation; avoid passing untrusted input into these commands to prevent shell/parameter injection. (5) All network endpoints contacted are the expected providers (Microsoft, Gmail via gog, NetEase IMAP/SMTP); review the OAuth flows (client IDs/secrets) and ensure you trust the client configuration you provide. If you need higher assurance, run the scripts in a sandboxed account or test environment and inspect ~/.onemail/credentials.json after setup.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rpens8nsv7cr4sknt5qw9x82fatz
484downloads
0stars
9versions
Updated 8h ago
v1.3.0
MIT-0
@huangbaixun
latest
Download

one-mail

统一管理多个邮箱的 CLI 工具。配置存储在 ~/.onemail/

初始化

首次使用运行 setup 添加账户:

bash scripts/setup.sh

收取邮件

bash scripts/fetch.sh                          # 所有账户
bash scripts/fetch.sh --unread                  # 仅未读
bash scripts/fetch.sh --account gmail           # 指定账户
bash scripts/fetch.sh --query "AI agent"        # 搜索
bash scripts/fetch.sh --limit 10                # 限制数量

阅读邮件

bash scripts/read.sh --id <message_id> --account <name>
bash scripts/read.sh --account outlook --latest
bash scripts/read.sh --account gmail --query "MacBook"
bash scripts/read.sh --json                     # JSON 输出

发送邮件

bash scripts/send.sh \
  --to "recipient@example.com" \
  --subject "Hello" \
  --body "Email content"

# 指定账户 + 附件
bash scripts/send.sh \
  --account outlook \
  --to "recipient@example.com" \
  --subject "Report" \
  --body "See attachment" \
  --attach "/path/to/file.pdf"

注意:Outlook 附件限制 3MB。

账户管理

bash scripts/accounts.sh list                   # 列出账户
bash scripts/accounts.sh add                    # 添加账户
bash scripts/accounts.sh remove <account_id>    # 删除账户
bash scripts/accounts.sh set-default <id>       # 设置默认

统计

bash scripts/stats.sh

提供商要求

提供商认证方式前置条件
GmailOAuth 2.0需要 gog CLI
OutlookOAuth 2.0 (Graph API)需要 Mail.ReadWrite + Mail.Send 权限
网易 163IMAP/SMTP需要开启 IMAP 并使用应用密码
网易 126IMAP/SMTP需要开启 IMAP 并使用应用密码

依赖

必需:curljqpython3。可选:gog(Gmail OAuth)。

故障排除

遇到认证或连接问题时,参考 troubleshooting.md

Comments

Loading comments...