Email Usage
v1.0.2使用本地邮件服务器收发我们自己域名的邮件。固定脚本位于 scripts/ 目录,直接执行即可。发送失败或密码遗忘时联系 小爪子。
⭐ 0· 86·0 current·0 all-time
by@axelhu
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The scripts implement sending, reading, and creating local mail accounts and the SKILL.md documents how to run them. Requiring docker (to run 'docker exec mailserver ...' in create_email.py) is consistent with the create-account action. Minor inconsistency: _meta.json lists no required binaries while SKILL.md and the script clearly expect docker.
Instruction Scope
Instructions stay within the stated purpose and only tell you to run the provided scripts. However the instructions direct you to pass plaintext passwords on the command line (exposed in process lists and shell history) and assume a specific local setup (container named 'mailserver', IMAP on localhost:1143, SMTP on localhost:587). The send script will attempt authentication and then fallback to unauthenticated send on auth failure — this is functional but can be abused if run on an open SMTP listener.
Install Mechanism
No install spec — instruction-only with bundled scripts. Nothing is downloaded or written by an installer, which is the lowest-risk install pattern.
Credentials
No environment variables or external credentials are requested by the skill manifest. However create_email.py invokes the local Docker CLI and therefore requires access to the Docker socket/daemon. That gives whoever runs these scripts (or an agent that can invoke them) the ability to execute commands inside the 'mailserver' container and, depending on host configuration, broad local privileges. Also, passing passwords on the CLI exposes secrets via process listings and shell history.
Persistence & Privilege
The skill does not request persistent/always-on presence, does not modify other skills or system-wide config, and is user-invocable only. Autonomous invocation is allowed by default but not combined with other alarming privileges.
Assessment
This skill appears to do what it says (create accounts in a local mailserver container, read via IMAP, send via SMTP). Before using it: 1) Verify you trust the skill source (no homepage and unknown owner). 2) Confirm your environment matches the scripts' assumptions (container named 'mailserver', IMAP on 1143, SMTP on 587). 3) Avoid passing passwords on the command line (use an interactive prompt or protected environment variable) because CLI args appear in process lists and shell history. 4) Be aware create_email.py calls 'docker exec' — the account running the script must have Docker access; that implies significant local privileges and potential for executing arbitrary commands in the container. 5) If you plan to let an agent call these scripts autonomously, restrict which agent actions are allowed and audit logs; do not grant broad host-level Docker access to untrusted agents. If any of these assumptions or requirements are unacceptable, do not install the skill or review/modify the scripts to fit your security policies.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
📧 Clawdis
Any bindocker
latest
Email 使用
SMTP 发送(需要认证)
python3 skills/email-usage/scripts/send_email.py <收件人> <主题> <正文> <发件邮箱> <密码>
参数:收件人、主题、正文、发件邮箱、密码(向 小爪子 查询)
示例:
python3 skills/email-usage/scripts/send_email.py \
'someone@example.com' '邮件标题' '邮件正文' \
'test@axelhu.com' 'test1234'
IMAP 读取
python3 skills/email-usage/scripts/read_email.py <用户名> <密码> [最新N封,默认5]
示例:
python3 skills/email-usage/scripts/read_email.py 'test@axelhu.com' 'test1234' 3
新增邮箱账号
python3 skills/email-usage/scripts/create_email.py <邮箱> <密码>
示例:
python3 skills/email-usage/scripts/create_email.py newuser@axelhu.com securepass
账号创建后,发件和收件使用同一套密码。
规则
- 不要配置 SMTP/Postfix/amavis
- 不要操作邮件队列(postqueue/postsuper)
- 不要修改容器内配置
- 连接超时或发送失败 → 联系 小爪子
- 密码遗忘 → 联系 小爪子
Comments
Loading comments...