Email Monitor
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: qiusuo-email-monitor Version: 1.0.0 The skill manages sensitive email credentials (including app passwords) and stores them in plaintext in the user's home directory. Additionally, the attachment downloading logic in `scripts/fetch_emails.py` is vulnerable to path traversal, as it uses unsanitized filenames from email headers in `os.path.join`, potentially allowing an attacker to overwrite arbitrary files on the system. While these are high-risk security flaws, they appear to be unintentional vulnerabilities rather than evidence of malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If attachment download is enabled, a malicious email attachment name could overwrite or create files outside the folder the user selected, within the permissions of the running agent.
Attachment filenames come from email content and are joined directly to the target directory without sanitizing path separators, absolute paths, or traversal such as ../.
filename = decode_str(part.get_filename() or "attachment") filepath = os.path.join(attachment_dir, filename) with open(filepath, "wb") as f:
Sanitize attachment filenames with basename-style handling, reject absolute paths and traversal components, avoid overwriting existing files, and keep all downloads confined to the selected directory.
Anyone or any process that can read the config file may gain access to the mailbox credential, and a regular account password may grant broader account access than needed for read-only monitoring.
The skill requests mailbox credentials and stores them persistently in a local JSON config, including regular account passwords for some providers.
Ask the user to provide: - Their **email address** - Their **app password** (or account password for non-Gmail) Store these in a local config file
Prefer provider app passwords or OAuth tokens with limited scope, document the credential risk clearly, set restrictive file permissions, avoid regular account passwords where possible, and provide instructions to delete the config and rotate credentials.
The mailbox will keep being checked on the chosen schedule until the cron task is removed, which may be surprising if the user later forgets it is running.
The skill creates a persistent scheduled job that continues checking the mailbox after setup.
After user confirms, create the cron job using openclaw: openclaw cron add "<cron-expr>" "检查邮件 <email>" --run "python3 <skill_dir>/scripts/fetch_emails.py --config ..."
Show the user how to list, disable, and remove the cron job, and remind them where the stored credential and state files are located.
A malicious email could include instructions aimed at the AI assistant; if the assistant treats those instructions as commands instead of email content, it could be misled.
Fetched email body text is emitted for the agent/user to read or summarize, and email text is untrusted content that may contain prompt-injection instructions.
"snippet": body,
Add explicit guidance that email contents are untrusted data, must not override user instructions, and should only be summarized or displayed unless the user separately approves an action.