mail-skill
Security checks across malware telemetry and agentic risk
Overview
The skill mostly matches its email-management purpose, but its attachment-saving code can write files using untrusted email attachment names outside the intended mail folder.
Review or patch the attachment filename handling before fetching untrusted mail. If you install it, use an app-specific email password, restrict access to the mail_data folder, avoid broad fetches unless needed, and require explicit confirmation before sending, deleting, or bulk-moving emails.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious email with a crafted attachment filename could cause the fetch task to write or overwrite files outside the mail_data attachments folder, within the permissions of the running user.
Attachment filenames come from fetched emails and are joined directly into a local write path without basename sanitization, normalization, or a check that the result stays inside the intended attachments directory.
att_path = os.path.join(att_dir, att.filename)
with open(att_path, 'wb') as f:
f.write(att.payload)Sanitize attachment filenames, reject absolute paths and path separators, normalize paths, and enforce that every attachment write remains under the configured attachment directory before fetching untrusted mail.
Installing and configuring the skill gives the agent access to the configured mailbox account according to the provided password or app password.
The skill needs mailbox credentials for IMAP and SMTP access, which is expected for this purpose but grants the agent authority to read, send, move, and delete mail.
MAIL_ACCOUNT_1_EMAIL=your_email@example.com MAIL_ACCOUNT_1_PASSWORD=your_app_password MAIL_ACCOUNT_1_IMAP_SERVER=imap.example.com MAIL_ACCOUNT_1_SMTP_SERVER=smtp.example.com
Use an app-specific password where possible, choose the least-privileged account configuration available, and require explicit user approval for sends, deletes, and bulk changes.
Emails, summaries, metadata, and attachment paths can remain on disk and may be visible to local users, backups, other tools, or future agent tasks.
The skill persistently stores full email content and searchable indexes locally, which is core to the product but creates a sensitive local data cache.
Retrieve emails via IMAP and save them locally (.eml, .json, and SQLite index).
Store mail_data in a protected location, consider encryption or OS access controls, and periodically delete cached data that is no longer needed.
Email fetching and local storage may continue in the background until the task completes.
Fetch runs in a background process after the command returns. The SKILL.md discloses asynchronous fetching, so this is purpose-aligned, but users should know work may continue after the initial agent response.
p = multiprocessing.Process(target=_run_fetch_task, args=(task_id, config, config['DB_PATH'], args)) p.start()
Expose cancellation/status controls and make sure users approve large fetches or long-running sync jobs.
Future dependency versions could change behavior or introduce supply-chain risk at install time.
The skill relies on pip-installed packages with lower-bound version constraints rather than pinned versions or hashes. This is common and purpose-aligned, but less reproducible.
imap-tools>=1.5.0 python-dotenv>=1.0.0 beautifulsoup4>=4.12.0 jinja2>=3.1.0
Pin dependency versions and use a reviewed lockfile or hash-verified installation for more reproducible installs.
Users may underestimate the need to protect local mail storage, review mailbox permissions, and patch unsafe attachment handling.
The README claims local collection and storage are 'absolutely safe.' That overstates the security posture for a tool that stores sensitive mail locally and has an attachment path containment issue.
本地收取与存储,绝对安全
Replace absolute safety claims with precise privacy and security statements, and document remaining risks and required safeguards.