email-pro-optimized
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches an email-management purpose, but it requests broad persistent email authority and includes an unrelated Git auto-push script that users should review carefully.
Install only if you trust the publisher and are comfortable granting email read/send authority. Prefer your own Gmail/Azure OAuth clients with minimal scopes, review every provider consent screen, protect ~/.openclaw/credentials, and avoid running the auto-push or maintenance scripts unless you intentionally want Git changes published.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Authorizing the skill may grant persistent email account authority broader than a user expects for simple checking or sending tasks.
The OAuth requests use a broad Gmail modify scope and an opaque Microsoft Graph default scope rather than clearly enumerating minimal read/send permissions.
'scope': 'https://www.googleapis.com/auth/gmail.modify' ... 'scope': 'https://graph.microsoft.com/.default'
Review provider consent screens carefully, prefer least-privilege OAuth scopes, and use separate OAuth apps or accounts where possible.
A user could grant email access through an unknown preconfigured Microsoft application rather than their own reviewed OAuth client.
The quick Outlook authorization path uses embedded Azure application credentials, so users may authorize an app identity and permission set they did not configure themselves.
--client-id "0360031a-ad0e-4bce-9d2f-0c53eda894b8" \ --client-secret "914fb58f-4aea-4ddb-bb97-51d66581cfee" \ --tenant-id "40a99b83-a343-41ca-b303-3e122965a6d8"
Do not use the bundled Outlook authorization script unless you trust the app registration; create and use your own Azure app credentials if possible.
Anyone who gains access to the token file may be able to reuse email authorization until tokens are revoked or expire.
The skill persists OAuth access and refresh tokens locally with restrictive permissions; this is expected for auto-refresh but remains sensitive persistent state.
'access_token': token_data.get('access_token'),
'refresh_token': token_data.get('refresh_token') ... OAUTH_TOKENS_FILE.chmod(0o600)Keep ~/.openclaw/credentials protected, verify file permissions, and revoke OAuth grants when uninstalling or no longer using the skill.
An agent could send messages or files from the user's email account if the command is invoked with those arguments.
The skill can send email and attach local files from configured accounts; this is core email functionality but high-impact if used without user confirmation.
send_parser.add_argument('--to', required=True, help='收件人') ... send_parser.add_argument('--attach', nargs='+', help='附件')Require explicit review of recipients, subject/body, and attachments before allowing the agent to send email.
If run, this could unexpectedly publish local skill changes or sensitive files in that repository to a remote Git origin.
An email-management skill includes a maintenance script that stages all changes, commits, and pushes to GitHub from the installed skill directory, which is outside the stated email purpose.
run_command("git add -A") ... run_command(f'git commit -m "{escaped_message}"') ... run_command(f"git push origin {branch}")Do not run the auto-push helper unless you intend to publish the repository; publishers should remove it or add explicit dry-run and confirmation controls.