ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Email Reader

邮件读取与管理技能 - 让 AI 能够读取、汇总、发送邮件。当用户要求查看邮件、汇总未读、发送邮件通知时触发此技能。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 670 · 4 current installs · 4 all-time installs
by@Jackeven02
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Skill description and runtime instructions align: it reads and sends email via IMAP/SMTP and recommends the himalaya CLI. However, the registry metadata declares no required binaries or primary credential even though SKILL.md expects the himalaya CLI and user mail credentials—this mismatch should be clarified.
!
Instruction Scope
The instructions directly tell users how to configure accounts with username/password on the command line (examples show plaintext passwords in CLI args) and recommend periodic reminders. Showing CLI invocations that embed passwords is insecure and could lead to credential leakage (shell history, process listing, logs). The skill does not explicitly limit what the agent should read beyond the mail client, and the '定时提醒' (scheduled reminders) implies background/periodic actions without specifying how scheduling or authorization is handled.
Install Mechanism
There is no install spec in the registry (lowest-risk), but SKILL.md recommends installing himalaya via brew/cargo/winget—these are standard package sources. This is acceptable, but the registry should declare the binary dependency so users know the runtime requirement ahead of time.
!
Credentials
No required environment variables or primary credential are declared despite the skill needing email account credentials (app passwords, OAuth tokens, or auth codes). The README suggests using environment variables and OAuth (good), but the concrete examples show passing passwords directly in CLI flags which is disproportionate and unsafe. The skill requests access to sensitive secrets in practice but doesn't document or enforce a secure mechanism for them.
Persistence & Privilege
always:false (default) and autonomous invocation allowed (normal). The SKILL.md mentions scheduled reminders, which implies persistent or recurring actions, but the skill provides no mechanism for persisting schedules or elevating privileges. This is a behavioral note to clarify how and when the agent will run these reminders.
What to consider before installing
This skill appears to do what it claims (manage email via the himalaya CLI), but it has a few problems you should address before use: - Clarify dependencies: the registry should list 'himalaya' as a required binary so you know it must be installed. - Do NOT copy the example that puts passwords on the command line—this exposes credentials to shell history and process lists. Prefer OAuth or storing credentials in a secure environment variable or credential store. - If you enable scheduled reminders, confirm how the agent will store the schedule and whether it runs autonomously; be cautious granting ongoing autonomous access to your email. - When installing himalaya, use the official package source for your OS (brew, winget, crates.io) and verify the project repo. - Consider requiring explicit environment variables (or an OAuth flow) for credentials and avoid sharing raw auth tokens with the skill. If you need me to, I can suggest a safer configuration and a checklist to harden usage of this skill. Confidence is medium because the skill is instruction-only and coherent overall, but the missing metadata and insecure examples are concerning rather than definitive proof of malicious intent.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979vzym31etxv07ara5najd8n81spj9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Email Reader - 邮件管理技能

概述

赋予 AI 邮件管理能力:

  • 读取邮件(IMAP)
  • 发送邮件(SMTP)
  • 邮件汇总与分类
  • 重要邮件提醒

触发场景

  1. 用户要求"查看邮件"、"读取邮件"
  2. 用户要求"汇总未读邮件"
  3. 用户要求"发送邮件"
  4. 用户要求"检查重要邮件"
  5. 定时提醒用户查看邮件

支持的邮件服务

服务协议说明
GmailIMAP/SMTP需要应用专用密码
OutlookIMAP/SMTP支持 OAuth
QQ 邮箱IMAP/SMTP需要授权码
网易邮箱IMAP/SMTP支持 IMAP

使用 himalaya CLI

推荐使用 himalaya CLI 进行邮件管理:

安装

# macOS
brew install himalaya

# Linux
cargo install himalaya

# Windows
winget install himalaya

配置

himalaya envelope add --name personal \
  --imap-host imap.example.com \
  --imap-port 993 \
  --smtp-host smtp.example.com \
  --smtp-port 587 \
  --username your@email.com \
  --password "your-password"

常用命令

# 列出邮件
himalaya list --account personal -w 50

# 阅读邮件
himalaya read <email-id>

# 发送邮件
himalaya send --from your@email.com --to recipient@example.com \
  --subject "Subject" --body "Content"

# 搜索邮件
himalaya search --account personal "keyword"

工作流

1. 检查配置 → 确认 himalaya 已配置
2. 获取邮件 → 使用 list/read 命令
3. 筛选重要 → 标记重要邮件
4. 汇总呈现 → 用中文总结给用户

安全注意事项

  • 不要在日志中暴露密码
  • 使用环境变量存储敏感信息
  • 建议使用 OAuth 认证(如果支持)

输出格式

向用户呈现邮件时:

  • 发件人、主题、摘要
  • 收到的简要
  • 建议操作(回复、删除、标记)

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…