email-summarizer
v1.0.4Email summary and contact profiling skill. Fetch emails from an IMAP mailbox or parse local exports (.pst / .mbox / .msg), build a contact profile report (HT...
⭐ 0· 92·0 current·0 all-time
byMomo@momothemage
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (email summarization and contact profiling) align with the code and instructions. fetch_imap.py, parse_file.py, build_report.py, and send_report.py implement the described workflows. Node.js dependency (pst-extractor) is justified for native .pst parsing and readpst is offered as an alternative.
Instruction Scope
SKILL.md and scripts limit actions to reading local archives or connecting to IMAP/SMTP using credentials provided by the user. The skill reads/writes local files and may call a bundled Node helper or the system readpst binary when parsing .pst files; SKILL.md documents these calls and the code avoids shell=True and remote URLs during runtime. Scripts prompt for credentials if env vars are not set.
Install Mechanism
There is no platform install spec (instruction-only install). Runtime requires pip install -r requirements.txt and an optional npm install in scripts/. package-lock.json is included and shows resolved package tarballs served from a mirrors.tencent.com URL — npm install will pull pst-extractor (and transitive deps). This is a normal npm install flow but users may want to verify the registry/mirror and package integrity before running npm install in a sensitive environment.
Credentials
Only mailbox-related credentials (EMAIL_USER, EMAIL_PASS) and optional IMAP_HOST/IMAP_PORT are used; these are appropriate for IMAP fetch and SMTP send. The skill does not request unrelated cloud/provider keys or other secrets. Note: the registry metadata reported 'required env vars: none' while SKILL.md documents optional EMAIL_USER/EMAIL_PASS — this is a minor metadata mismatch (they are optional, not required).
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or global agent settings. Autonomous invocation is allowed (platform default) but not combined with other privileged behaviors.
Assessment
This skill appears to do exactly what it claims: parse local email exports or fetch via IMAP, build an HTML/XLSX contact report, and optionally send it over SMTP. Before installing/running:
- Only provide an app-specific IMAP/SMTP password (EMAIL_PASS) or use an app password from your mailbox provider; avoid using your primary login password.
- If you need PST parsing, the skill asks you to run `cd scripts && npm install`. Review package.json/package-lock and consider setting npm to the registry you trust (the included lockfile references a Tencent mirror). Verify pst-extractor's integrity or run npm install in an isolated VM/container if you are uncomfortable.
- The scripts will call the bundled Node helper (node scripts/pst_extractor_helper.js) and may call the system readpst binary if you choose that engine. Both operate on local files only; confirm you’re pointing them at the intended export files.
- send_report.py uses SMTP presets (163/qq/gmail/outlook); review SMTP_MAP if you want to confirm which SMTP hosts/ports will be contacted and that they match your expectations.
- Reports and any attachments are written to disk; treat generated files as you would any sensitive export (store/delete securely).
If you want to be extra cautious, run the skill in a disposable environment (container or VM) and inspect network activity during npm install and first run. Otherwise, the package is internally coherent and proportional to its stated purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk977rr4yb21sr8wkt9rscd8qg583qg6d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.