ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

imap-smtp-email-chinese

Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search mailboxes, mark as read/unread, and send emails with attachments. Wor...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 872 · 6 current installs · 6 all-time installs
by@apple133junjiang-a11y
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the actual code: scripts implement IMAP (imapflow/mailparser) and SMTP (nodemailer) operations (check, fetch, download attachments, send). The requested secrets (IMAP/SMTP credentials) are appropriate for the stated functionality.
Instruction Scope
SKILL.md and scripts instruct the agent to read/create a local .env and run node scripts that connect to IMAP/SMTP servers. These instructions are within scope for an email client skill. Note: the scripts load ../.env (dotenv or manual parsing) and the setup.sh writes .env and runs tests — all of which grant the skill access to any credentials placed in that file (expected for this tool).
Install Mechanism
No remote download/install step is present (instruction-only with included code). Dependencies are standard npm packages (nodemailer, imapflow, mailparser, etc.). Nothing is fetched from arbitrary URLs or shorteners.
!
Credentials
The skill legitimately needs IMAP/SMTP credentials, but the repository includes a pre-populated .env file (.env in manifest) containing IMAP_USER/SMTP_USER and IMAP_PASS/SMTP_PASS in plaintext (example: 123456@qq.com / password). Shipping a .env with credentials is a poor security practice and could expose secrets if they are real; the registry metadata also does not declare required env vars (the skill expects them via .env), which is an inconsistency that could confuse automated policy checks.
Persistence & Privilege
always:false, no system-wide config modifications, no self-enabling behavior. setup.sh will create a .env in the skill folder (expected behavior for local configuration). The skill can be invoked autonomously by the agent (platform default), which increases blast radius but is not, by itself, a discrepancy.
What to consider before installing
This skill appears to implement a legitimate IMAP/SMTP client, but exercise caution before installing: 1) The package includes a .env file with plaintext credentials — do NOT use provided credentials; replace the .env with your own values or keep credentials in a secure secret store. 2) Review the code yourself (imap.js, smtp.js, setup.sh) before running it; the scripts will read and write a .env and will connect to whatever IMAP/SMTP servers you configure. 3) Do not commit your .env to any VCS; add it to .gitignore. 4) If you ran the included .env or used provided credentials, rotate those credentials immediately. 5) If you do not fully trust the publisher, run the code in an isolated environment or container. These mitigations would reduce risk; absence of remote downloads is good, but the included plaintext .env is a notable red flag.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk978qqr6tqbad8cddvee9ejv3s81z9t4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

IMAP/SMTP Email Tool

Read, search, and manage email via IMAP protocol. Send email via SMTP. Supports Gmail, Outlook, 163.com, vip.163.com, 126.com, vip.126.com, 188.com, vip.188.com, and any standard IMAP/SMTP server.

Configuration

Create .env in the skill folder or set environment variables:

# IMAP Configuration (receiving email)
IMAP_HOST=imap.gmail.com          # Server hostname
IMAP_PORT=993                     # Server port
IMAP_USER=your@email.com
IMAP_PASS=your_password
IMAP_TLS=true                     # Use TLS/SSL connection
IMAP_REJECT_UNAUTHORIZED=true     # Set to false for self-signed certs
IMAP_MAILBOX=INBOX                # Default mailbox

# SMTP Configuration (sending email)
SMTP_HOST=smtp.gmail.com          # SMTP server hostname
SMTP_PORT=587                     # SMTP port (587 for STARTTLS, 465 for SSL)
SMTP_SECURE=false                 # true for SSL (465), false for STARTTLS (587)
SMTP_USER=your@gmail.com          # Your email address
SMTP_PASS=your_password           # Your password or app password
SMTP_FROM=your@gmail.com          # Default sender email (optional)
SMTP_REJECT_UNAUTHORIZED=true     # Set to false for self-signed certs

Common Email Servers

ProviderIMAP HostIMAP PortSMTP HostSMTP Port
163.comimap.163.com993smtp.163.com465
vip.163.comimap.vip.163.com993smtp.vip.163.com465
126.comimap.126.com993smtp.126.com465
vip.126.comimap.vip.126.com993smtp.vip.126.com465
188.comimap.188.com993smtp.188.com465
vip.188.comimap.vip.188.com993smtp.vip.188.com465
yeah.netimap.yeah.net993smtp.yeah.net465
Gmailimap.gmail.com993smtp.gmail.com587
Outlookoutlook.office365.com993smtp.office365.com587
QQ Mailimap.qq.com993smtp.qq.com587

Important for 163.com:

  • Use authorization code (授权码), not account password
  • Enable IMAP/SMTP in web settings first

IMAP Commands (Receiving Email)

check

Check for new/unread emails.

node scripts/imap.js check [--limit 10] [--mailbox INBOX] [--recent 2h]

Options:

  • --limit <n>: Max results (default: 10)
  • --mailbox <name>: Mailbox to check (default: INBOX)
  • --recent <time>: Only show emails from last X time (e.g., 30m, 2h, 7d)

fetch

Fetch full email content by UID.

node scripts/imap.js fetch <uid> [--mailbox INBOX]

download

Download all attachments from an email, or a specific attachment.

node scripts/imap.js download <uid> [--mailbox INBOX] [--dir <path>] [--file <filename>]

Options:

  • --mailbox <name>: Mailbox (default: INBOX)
  • --dir <path>: Output directory (default: current directory)
  • --file <filename>: Download only the specified attachment (default: download all)

search

Search emails with filters.

node scripts/imap.js search [options]

Options:
  --unseen           Only unread messages
  --seen             Only read messages
  --from <email>     From address contains
  --subject <text>   Subject contains
  --recent <time>    From last X time (e.g., 30m, 2h, 7d)
  --since <date>     After date (YYYY-MM-DD)
  --before <date>    Before date (YYYY-MM-DD)
  --limit <n>        Max results (default: 20)
  --mailbox <name>   Mailbox to search (default: INBOX)

mark-read / mark-unread

Mark message(s) as read or unread.

node scripts/imap.js mark-read <uid> [uid2 uid3...]
node scripts/imap.js mark-unread <uid> [uid2 uid3...]

list-mailboxes

List all available mailboxes/folders.

node scripts/imap.js list-mailboxes

SMTP Commands (Sending Email)

send

Send email via SMTP.

node scripts/smtp.js send --to <email> --subject <text> [options]

Required:

  • --to <email>: Recipient (comma-separated for multiple)
  • --subject <text>: Email subject, or --subject-file <file>

Optional:

  • --body <text>: Plain text body
  • --html: Send body as HTML
  • --body-file <file>: Read body from file
  • --html-file <file>: Read HTML from file
  • --cc <email>: CC recipients
  • --bcc <email>: BCC recipients
  • --attach <file>: Attachments (comma-separated)
  • --from <email>: Override default sender

Examples:

# Simple text email
node scripts/smtp.js send --to recipient@example.com --subject "Hello" --body "World"

# HTML email
node scripts/smtp.js send --to recipient@example.com --subject "Newsletter" --html --body "<h1>Welcome</h1>"

# Email with attachment
node scripts/smtp.js send --to recipient@example.com --subject "Report" --body "Please find attached" --attach report.pdf

# Multiple recipients
node scripts/smtp.js send --to "a@example.com,b@example.com" --cc "c@example.com" --subject "Update" --body "Team update"

test

Test SMTP connection by sending a test email to yourself.

node scripts/smtp.js test

Dependencies

npm install

Security Notes

  • Store credentials in .env (add to .gitignore)
  • For Gmail: use App Password if 2FA is enabled
  • For 163.com: use authorization code (授权码), not account password

Troubleshooting

Connection timeout:

  • Verify server is running and accessible
  • Check host/port configuration

Authentication failed:

  • Verify username (usually full email address)
  • Check password is correct
  • For 163.com: use authorization code, not account password
  • For Gmail: use App Password if 2FA enabled

TLS/SSL errors:

  • Match IMAP_TLS/SMTP_SECURE setting to server requirements
  • For self-signed certs: set IMAP_REJECT_UNAUTHORIZED=false or SMTP_REJECT_UNAUTHORIZED=false

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…