ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Email Mail Master Rose

通过阿里云邮箱、QQ邮箱或163邮箱等发送和接收邮件。支持发送普通邮件、带附件邮件、接收邮件、检查新邮件。当用户要求发送邮件、查看邮件、检查新邮件时使用。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 33 · 0 current installs · 1 all-time installs
by@roseknife520
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is to send/receive mail via QQ/163/阿里企业邮箱, which matches the code (IMAP/POP3/SMTP usage). However the packaged scripts include a config.json containing multiple plaintext credentials (email addresses and auth codes/passwords). A mail helper should ask the user to provide credentials, not ship with seemingly author-controlled credentials — this is unnecessary and raises risk of those accounts being used by the skill or the author.
Instruction Scope
SKILL.md confines runtime actions to editing a config file and running the provided CLI commands (send/receive/check-new/delete). Those operations map to the code. The instructions reference a config path 'skills/email/scripts/config.json' which does not match the actual packaged path 'scripts/config.json' — an inconsistency that may cause confusion. The code can read arbitrary local files when attachments are specified (expected for a mail tool) which also means the skill can be used to exfiltrate local files if misused.
Install Mechanism
There is no network install step or external download; this is an instruction-only skill with bundled Python scripts. No additional packages are installed. This is low risk from an install-source perspective.
!
Credentials
The skill declares no required env vars, but the bundled scripts include a config.json with multiple plaintext secrets (auth codes/passwords) for QQ/163/exmail accounts. Shipping pre-filled credentials is disproportionate and potentially malicious or at least negligent: those credentials may be controlled by the publisher and could be used to send/receive mail (and thus exfiltrate data). A well-scoped skill would require the user to supply their own credentials rather than embedding them.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time hooks. Autonomous invocation is allowed (platform default) but there is no additional persistence or elevated privilege requested by the skill.
What to consider before installing
This skill does what it says (send/receive mail), but the distributed config.json contains plaintext credentials for multiple accounts. Before installing or running: (1) Do not rely on the bundled credentials — assume they belong to the publisher; replace every credential in scripts/config.json with your own account and authorization codes or remove those entries entirely. (2) Verify the config file path the skill expects (SKILL.md references 'skills/email/scripts/config.json' but the package contains 'scripts/config.json') and correct it if needed. (3) Be cautious about attaching local files — the tool can read and send any file you point it at, which could leak secrets. (4) If you don't trust the publisher, do not use the bundled credentials and consider removing or sandboxing the skill. If you want higher assurance, ask the publisher to remove default credentials and to support reading credentials from secure environment variables or a credential manager.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk974mvfx553v7wn27admnzcv6d83nhxm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

邮件管理

通过阿里云邮箱、QQ邮箱或163邮箱等发送和接收邮件。

配置

编辑 skills/email/scripts/config.json,填写邮箱地址和授权码(非登录密码)。

授权码获取:

  • QQ 邮箱:设置 > 账户 > 开启 IMAP/SMTP > 生成授权码
  • 163 邮箱:设置 > POP3/SMTP/IMAP > 开启服务 > 设置授权密码

可通过 default_mailbox 字段设置默认邮箱("qq""163")。

命令行调用

# 发送邮件
python3 skills/email/scripts/mail.py send --to user@example.com --subject "主题" --content "内容"

# 发送带附件
python3 skills/email/scripts/mail.py send --to user@example.com --subject "报告" --content "请查收" --attach report.pdf

# 接收最新邮件
python3 skills/email/scripts/mail.py receive --limit 5

# 接收邮件(JSON 输出,推荐 AI 使用)
python3 skills/email/scripts/mail.py receive --limit 5 --json

# 检查新邮件(最近 N 天)
python3 skills/email/scripts/mail.py check-new --since 1

# 检查新邮件(JSON 输出)
python3 skills/email/scripts/mail.py check-new --since 1 --json

# 删除邮件(移到已删除文件夹,QQ邮箱可恢复)
python3 skills/email/scripts/mail.py delete --ids 123

# 批量删除
python3 skills/email/scripts/mail.py delete --ids 123 124 125

# 彻底删除(不可恢复)
python3 skills/email/scripts/mail.py delete --ids 123 --permanent

# 指定邮箱类型
python3 skills/email/scripts/mail.py --mailbox 163 send --to user@example.com --subject "测试"

删除邮件说明

  • QQ 邮箱(IMAP):默认移到「已删除」文件夹,可以从已删除中恢复。加 --permanent 彻底删除。
  • 163 邮箱(POP3):POP3 协议不支持文件夹操作,删除始终是永久的,不可恢复。

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…