ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Email163 Sender

v1.0.1

163邮箱发送工具。使用授权密码(授权码)进行SMTP认证发送邮件。支持文本邮件、HTML邮件、带附件邮件、抄送/密送。当用户需要发送邮件时使用此技能。

0· 136·1 current·1 all-time
byMarvin@imnull

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for imnull/email163-sender.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Email163 Sender" (imnull/email163-sender) from ClawHub.
Skill page: https://clawhub.ai/imnull/email163-sender
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install email163-sender

ClawHub CLI

Package manager switcher

npx clawhub@latest install email163-sender
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included script: the code implements SMTP send for smtp.163.com and supports attachments/HTML/cc/bcc/history. However the registry metadata lists no required env vars even though both SKILL.md and the script rely on EMAIL_163_USER and EMAIL_163_AUTH_CODE — that metadata omission is an incoherence.
!
Instruction Scope
SKILL.md instructions tell the user to set EMAIL_163_USER and EMAIL_163_AUTH_CODE and run the script, which matches behavior. But SKILL.md does not mention that the script will create and write a local history file under WORKSPACE/.email_history (defaulting to current working directory), nor that the script disables SSL certificate verification when connecting to the SMTP server (context.check_hostname=False and context.verify_mode=ssl.CERT_NONE). Both the undocumented filesystem writes and the insecure TLS setting expand scope beyond what a casual user might expect.
Install Mechanism
Instruction-only skill with a single Python script; no install spec or remote downloads. This is low-risk from an installation surface perspective.
!
Credentials
The script requires EMAIL_163_USER and EMAIL_163_AUTH_CODE (and will also read WORKSPACE if present) but the skill metadata did not declare any required environment variables or a primary credential. Requesting an email address and auth code is reasonable for SMTP, but the omission in the metadata is a mismatch that reduces transparency. The auth code is sensitive and should be declared and stored/handled carefully.
Persistence & Privilege
The skill persists a sent_emails.json history in WORKSPACE/.email_history (or current directory if WORKSPACE unset). It does not request always:true or modify other skills. Persisting send-history is plausible for this tool but users should know exactly where data is written (SKILL.md does not document the path).
What to consider before installing
This skill appears to implement a straightforward 163.com SMTP sender, but review these issues before installing: (1) The registry metadata fails to declare required env vars — you must provide EMAIL_163_USER and EMAIL_163_AUTH_CODE; treat the auth code as a secret and store/rotate it securely. (2) The script disables TLS certificate verification when connecting to smtp.163.com (context.check_hostname=False and verify_mode=ssl.CERT_NONE) which makes the connection vulnerable to MITM; consider editing the script to enable default verification before use. (3) The script writes a history file to WORKSPACE/.email_history (or current directory) — ensure WORKSPACE is not pointed at a sensitive system path and review/clear stored history if needed. (4) Because the metadata omitted the env vars, prefer to run this in a controlled environment (not a shared CI runner) and inspect or run the script manually first. If you need help hardening the script (re-enable cert verification, make history storage explicit/configurable, avoid storing secrets in env vars), ask for a patched version or guidance.

Like a lobster shell, security has layers — review code before you run it.

163vk97ftw60tqgespve8gsf0ek2h183t5g0emailvk97ftw60tqgespve8gsf0ek2h183t5g0latestvk97ftw60tqgespve8gsf0ek2h183t5g0smtpvk97ftw60tqgespve8gsf0ek2h183t5g0
136downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
Marvin@imnull
163emaillatestsmtp
Download

Email Sender (163)

通过授权密码发送邮件的技能。

环境配置

# 163邮箱地址
export EMAIL_163_USER="your_email@163.com"

# 授权密码(在163邮箱设置中开启)
export EMAIL_163_AUTH_CODE="your_auth_code"

获取授权密码:

  1. 登录163邮箱 → 设置 → POP3/SMTP设置
  2. 开启 POP3/SMTP服务
  3. 新增授权密码并保存

快速开始

发送简单邮件

python3 scripts/send_email.py \
  --to recipient@example.com \
  --subject "测试邮件" \
  --body "这是一封测试邮件"

发送带附件邮件

python3 scripts/send_email.py \
  --to recipient@example.com \
  --subject "报告" \
  --body "请查收附件" \
  -a report.pdf

发送HTML邮件

python3 scripts/send_email.py \
  --to recipient@example.com \
  --subject "周报" \
  --html \
  --body "<h1>周报</h1><p>本周工作进展...</p>"

查看发送历史

python3 scripts/send_email.py --list

参数说明

参数说明
--to, -t收件人邮箱(多个用逗号分隔)
--subject, -s邮件主题
--body, -b邮件正文
--htmlHTML格式邮件
-a, --attachment附件路径(可多次指定)
--cc抄送
--bcc密送
--from, -f发件人邮箱
--auth-code授权密码
--list, -l列出已发送邮件
--status查看邮件状态
--clear-history清空发送历史

常见问题

Q: 认证失败? A: 检查授权密码是否正确,确认已在163邮箱中开启POP3/SMTP服务。

Q: 附件发送失败? A: 确认文件路径正确,文件大小建议<20MB。

Comments

Loading comments...