Email Summary

Anyone who receives the package may get access to a real mailbox credential, and the skill may operate on an account that does not belong to the installer.

The package includes a concrete QQ mailbox address and IMAP/SMTP authorization code, giving access to an email account rather than requiring each installer to configure their own credential.

Private contacts and email subjects from a real mailbox are exposed and may be reused by the skill or read by anyone installing it.

The skill package contains a large persisted mailbox-derived dataset with sender, recipient, subject, date, and sequence metadata.

Running the documented --send workflow may send private email summaries to an unknown hard-coded WeChat recipient.

The send function forwards the email summary through OpenClaw/WeChat to a fixed default target unless environment variables are set, and the setup/docs do not require the user to choose or confirm that recipient.

Users may trust the skill's safety guidance while the published package already contains the sensitive file it says not to publish.

The documentation warns that the config file is sensitive and should not be committed, yet the provided artifact set includes config/email-config.json with an auth code.

This is related to the stated setup purpose, but generated-code execution is more fragile and should be reviewed before use.

The setup flow writes a generated JavaScript connection-test file and executes it locally.

If enabled, the skill continues operating in the background and could repeatedly send email summaries.

The documentation describes an optional cron job that would keep fetching mail and sending summaries on a daily schedule.