腾讯企业邮箱/qqexmail

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill mostly matches its Tencent enterprise email purpose, but it disables SMTP certificate verification and has a documented date filter that the code does not actually enforce.

Review carefully before installing. If you use it, fix the SMTP TLS setting first, confirm exactly what messages will be read, verify every outbound email before sending, and keep EXMAIL_AUTH_CODE out of code or shared logs.

Static analysis

Env credential access

Critical

Finding: Environment variable access combined with network send.

Env credential access

Critical

Finding: Environment variable access combined with network send.

Insecure tls verification

Warn

Finding: HTTPS certificate verification is disabled.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse

High

What this means

Your Tencent enterprise email authorization code could be exposed, allowing someone to read or send mail as the account.

Why it was flagged

The script sends the mailbox authorization code to the SMTP service while disabling TLS certificate verification, which can allow a network attacker or impersonated server to capture credentials or email content.

Skill content

auth: {
    user: account,
    pass: authCode,
  },
  tls: {
    rejectUnauthorized: false,

Recommendation

Do not use the send script until certificate verification is restored; remove rejectUnauthorized: false and rely on normal TLS validation for smtp.exmail.qq.com.

#ASI02: Tool Misuse and Exploitation

Medium

What this means

If you ask for mail from a limited date range, the tool may still show messages outside that intended range.

Why it was flagged

The code detects the --days argument but never uses it to build a date/SINCE query; it still fetches the latest messages by count.

Skill content

const daysIdx = args.indexOf('--days');
    let limit = 10;
    ...
    const fetchRange = `${box.messages.total - actualLimit + 1}:${box.messages.total}`;
    const fetch = imap.seq.fetch(fetchRange, { bodies: '' });

Recommendation

Implement the documented IMAP SINCE filter before relying on --days, or remove the option and clearly disclose that only a latest-message count is supported.

#ASI03: Identity and Privilege Abuse

Low

What this means

The platform may not warn you up front that the skill needs an email account authorization code.

Why it was flagged

The registry metadata does not declare credentials even though SKILL.md and the scripts require EXMAIL_ACCOUNT and EXMAIL_AUTH_CODE for mailbox access.

Skill content

Required env vars: none
Env var declarations: none
Primary credential: none

Recommendation

Treat EXMAIL_AUTH_CODE as a sensitive app password, provide it only locally, and revoke/regenerate it if you suspect exposure.