ClawHub

qq-mail-read-send

Security checks across malware telemetry and agentic risk

Overview

This QQ Mail skill is mail-focused and not clearly malicious, but it can read private email and send real messages while using an inconsistent hard-coded credential path.

Review before installing. Use it only if you intend to grant access to your QQ mailbox and outbound sending. Fix the credential loader to use the documented user-scoped secrets file or explicit environment variables, protect the authorization code file, keep mail searches narrow, and require explicit review before any email is sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation tells users credentials live in ~/.openclaw/secrets/mail_qq.env, but the example code actually defaults to a hard-coded Windows Administrator path. This mismatch can cause the skill to read credentials from an unintended location, potentially another account’s secret store on shared or misconfigured systems, and breaks operator expectations about where sensitive data is sourced.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Broad trigger phrases for a skill that can read and send email increase the chance of unintended activation during ordinary conversation. In this context, accidental invocation is more dangerous than usual because it may expose mailbox contents or initiate outbound email actions without sufficiently specific user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list lacks scope limits and exclusion rules, so common phrases like '查看最近邮件' or '搜索邮件' may activate the skill in contexts where the user is not authorizing mailbox access. Because this skill handles sensitive communications and credentials, over-broad routing materially raises privacy and misuse risk.

Credential Access

High
Category
Privilege Escalation
Content
from email.header import Header
import os

def load_credentials(env_path=r"C:\Users\Administrator\.openclaw\secrets\mail_qq.env"):
    """从env文件加载MAIL_USER和MAIL_PASS"""
    creds = {}
    if os.path.exists(env_path):
Confidence
94% confidence
Finding
.env"

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal