Email Mail Master Rose

WarnAudited by ClawScan on May 18, 2026.

Overview

The skill’s email functions match its stated purpose, but it ships plaintext mailbox authorization secrets and can permanently delete emails, so it needs review before use.

Do not use this skill as-is. First remove the bundled mailbox credentials, rotate/revoke the exposed authorization codes, configure only your own mailbox through a secure local mechanism, and require explicit confirmation before any delete or permanent-delete action.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI03: Identity and Privilege Abuse

What this means

An agent could send, read, or delete mail using bundled accounts, and the exposed authorization codes may compromise those mailboxes.

Why it was flagged

The package includes plaintext mailbox identifiers and authorization secret fields instead of requiring the installer to provide their own credentials securely. This is especially concerning because the registry metadata declares no primary credential or required env vars.

Skill content

"qq_email": { "email": "roseknife@qq.com", "auth_code": "[redacted]" }, "163_email": { "email": "roseknife@163.com", "auth_password": "[redacted]" }, "exmail_email": { "email": "cs@xmainc.com", "auth_code": "[redacted]" }

Recommendation

Remove all bundled secrets, rotate/revoke the exposed mailbox authorization codes, declare the mailbox credential requirement, and load user-provided secrets from a secure local config or secret store.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

A mistaken or over-broad agent command could delete multiple emails, including permanently deleting messages from the mail server.

Why it was flagged

The CLI exposes single and batch email deletion, including irreversible deletion, and the command path executes deletion directly from the provided IDs.

Skill content

delete_parser.add_argument('--ids', nargs='+', required=True, ...); delete_parser.add_argument('--permanent', action='store_true', help='彻底删除（不可恢复）...'); result = manager.delete_emails_batch(email_ids, permanent=args.permanent)

Recommendation

Require explicit user confirmation before deletion, show the target mailbox/messages before acting, make permanent deletion harder to trigger, and clearly disclose delete capability in the skill metadata.

Low

#ASI06: Memory and Context Poisoning

What this means

Private email content may enter the chat context, and malicious email text could try to influence the agent if treated as instructions.

Why it was flagged

The skill intentionally returns email headers and message content to the agent. This is expected for an email reader, but sender-controlled email text is untrusted input.

Skill content

emails.append({ 'id': email_id.decode(), 'subject': subject, 'from': from_, 'date': date, 'content': content[:200] + '...' if len(content) > 200 else content })

Recommendation

Treat email bodies as untrusted data, avoid following instructions contained in emails without separate user confirmation, and limit how much email content is exposed when possible.