ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Email Marketing

执行邮件营销任务,包括群发营销邮件、自动化回信监控、FAQ 知识库智能匹配、语种自动对齐。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 221 · 0 current installs · 0 all-time installs
by@zlrlyy
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description (email marketing, auto-reply, FAQ matching) aligns with the provided scripts, but the package metadata declares no required environment variables or credentials while all scripts clearly rely on SMTP/IMAP credentials and other env vars. There is also a hardcoded FAQ_PATH that does not match the SKILL.md's listed resources, indicating incoherence between documentation and code.
!
Instruction Scope
SKILL.md tells the agent to read local files (邮箱.xlsx, 邮件内容.html, faq.txt) and run the provided scripts which is expected, but the runtime code uses different defaults/paths (e.g., EXCEL/HTML defaults to ~/Desktop and auto_reply_manager references a hardcoded absolute FAQ path under /home/node/.openclaw/media/...), and the code toggles behavior (test vs run) based on env vars/args. The mismatch between SKILL.md and the actual script paths/behavior could cause silent failures or unexpected file access.
Install Mechanism
Instruction-only + included Python scripts — there is no installation step or external download. No packages are pulled at install time. Risk comes from executing the provided scripts rather than from an installer.
!
Credentials
Scripts require sensitive credentials and config via environment variables (EMAIL_SMTP_USER, EMAIL_SMTP_PASS, EMAIL_IMAP_HOST/PORT, EMAIL_SMTP_HOST/PORT, EMAIL_TEST_TARGET, EMAIL_EXCEL_PATH, etc.) but the skill metadata declared no required env vars — an important omission. The code also uses SMTP credentials for IMAP login in places (mixing env names), and defaults to corporate-sounding hosts (imap.corp.netease.com/smtp.corp.netease.com), which is unexpected. These credentials are highly sensitive and the lack of clear declaration is disproportionate and risky.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It writes logs/state to its own assets/ files (email_status.json, reply_stats.json, pending_replies.json), which is expected for this functionality.
What to consider before installing
This skill contains runnable Python scripts that will need your SMTP/IMAP credentials and local files (Excel, HTML, FAQ). Before running or installing: 1) Treat EMAIL_SMTP_USER / EMAIL_SMTP_PASS (and any IMAP creds) as highly sensitive — avoid using primary/production accounts; create a dedicated test mailbox and rotate credentials after testing. 2) Inspect and correct the path mismatches (SKILL.md expects faq.txt in the skill folder but auto_reply_manager.py points to a hardcoded inbound path). 3) Note that the scripts disable TLS certificate verification (ssl.CERT_NONE) — this is insecure and makes man-in-the-middle attacks possible; fix to validate certificates. 4) The sender code deliberately inserts hidden tags to evade spam filters — this is adversarial and may violate your mail provider's terms or anti-spam laws; review legal/compliance implications. 5) Because the metadata does not declare required env vars, expect the skill to prompt for or require secrets at runtime; do not supply high-privilege credentials without auditing the code. 6) Run in an isolated environment (sandbox or VM) and test with the TEST_EMAIL value set to a controlled address before any bulk send. If you want, I can list exact lines to change to harden the scripts (restore TLS checks, consolidate env var names, update FAQ path) or produce a checklist for safe testing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97ab82zbd27qf6ecj8ade34hn825s8q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

邮件营销与智能回信 Skill (Email Marketing & Auto-Reply)

本 Skill 用于稳健地执行邮件营销任务及自动化回信闭环。

核心功能

  1. 个性化群发:自动读取 邮箱.xlsx,根据每行数据动态替换 HTML 中的 【变量名】 占位符,实现一对一精准营销。
  2. 自动化回信监控:定期扫描收件箱中的未读邮件,识别客户提问。
  3. FAQ 知识库匹配:收到回信后,强制检索 faq.txt。仅针对知识库中有明确答案的问题进行回复,不确定的保持静默。
  4. 语种对齐与商务礼仪:自动识别回信语言(如中、英、日等),以同语种、高标准商务礼貌语气生成回信草案。
  5. 测试发信与防拦截:内置干扰指纹码与模拟人工发信延迟,降低进入垃圾箱的概率。

资源依赖

  • 名单邮箱.xlsx (支持读取 kol name, gender 等用于内容替换)
  • 标题邮件标题.txt
  • 内容邮件内容.html
  • 知识库faq.txt (用于自动回信的标准答案参考)

操作指南

1. 测试发送

python3 final_sender.py

2. 执行全量群发

python3 final_sender.py run

3. 扫描并自动处理回信

运行脚本扫描新邮件,并结合 FAQ 进行智能拟稿: python3 auto_reply_manager.py

4. 确认并发送回信

python3 auto_reply_manager.py send "recipient@email.com" "Subject" "Content"

5. 查看统计报表

python3 check_replies.py

自动化运行准则 (Mandatory)

  • 查重原则:已经回复过的不需要再次回复。
  • 明确性原则:只有明确在 FAQ 中有答案的问题才回复,不确定无需回复。
  • 内容一致性:HTML 渲染仅改变样式,严禁更改文案具体内容(变量除外)。
  • 稳重降频:正式发送每封间隔 3-8 秒随机延迟,每 10 封长休息。

Files

6 total
Select a file
Select a file to preview.

Comments

Loading comments…