Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Email163 Sender
v1.0.1163邮箱发送工具。使用授权密码(授权码)进行SMTP认证发送邮件。支持文本邮件、HTML邮件、带附件邮件、抄送/密送。当用户需要发送邮件时使用此技能。
⭐ 0· 100·1 current·1 all-time
byMarvin@imnull
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the included script: the code implements SMTP send for smtp.163.com and supports attachments/HTML/cc/bcc/history. However the registry metadata lists no required env vars even though both SKILL.md and the script rely on EMAIL_163_USER and EMAIL_163_AUTH_CODE — that metadata omission is an incoherence.
Instruction Scope
SKILL.md instructions tell the user to set EMAIL_163_USER and EMAIL_163_AUTH_CODE and run the script, which matches behavior. But SKILL.md does not mention that the script will create and write a local history file under WORKSPACE/.email_history (defaulting to current working directory), nor that the script disables SSL certificate verification when connecting to the SMTP server (context.check_hostname=False and context.verify_mode=ssl.CERT_NONE). Both the undocumented filesystem writes and the insecure TLS setting expand scope beyond what a casual user might expect.
Install Mechanism
Instruction-only skill with a single Python script; no install spec or remote downloads. This is low-risk from an installation surface perspective.
Credentials
The script requires EMAIL_163_USER and EMAIL_163_AUTH_CODE (and will also read WORKSPACE if present) but the skill metadata did not declare any required environment variables or a primary credential. Requesting an email address and auth code is reasonable for SMTP, but the omission in the metadata is a mismatch that reduces transparency. The auth code is sensitive and should be declared and stored/handled carefully.
Persistence & Privilege
The skill persists a sent_emails.json history in WORKSPACE/.email_history (or current directory if WORKSPACE unset). It does not request always:true or modify other skills. Persisting send-history is plausible for this tool but users should know exactly where data is written (SKILL.md does not document the path).
What to consider before installing
This skill appears to implement a straightforward 163.com SMTP sender, but review these issues before installing: (1) The registry metadata fails to declare required env vars — you must provide EMAIL_163_USER and EMAIL_163_AUTH_CODE; treat the auth code as a secret and store/rotate it securely. (2) The script disables TLS certificate verification when connecting to smtp.163.com (context.check_hostname=False and verify_mode=ssl.CERT_NONE) which makes the connection vulnerable to MITM; consider editing the script to enable default verification before use. (3) The script writes a history file to WORKSPACE/.email_history (or current directory) — ensure WORKSPACE is not pointed at a sensitive system path and review/clear stored history if needed. (4) Because the metadata omitted the env vars, prefer to run this in a controlled environment (not a shared CI runner) and inspect or run the script manually first. If you need help hardening the script (re-enable cert verification, make history storage explicit/configurable, avoid storing secrets in env vars), ask for a patched version or guidance.Like a lobster shell, security has layers — review code before you run it.
163vk97ftw60tqgespve8gsf0ek2h183t5g0emailvk97ftw60tqgespve8gsf0ek2h183t5g0latestvk97ftw60tqgespve8gsf0ek2h183t5g0smtpvk97ftw60tqgespve8gsf0ek2h183t5g0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.