ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ews Email

v1.2.0

CLI to manage enterprise Outlook emails via Exchange Web Services (EWS). Use ews-mail.py to list, read, reply, forward, search, send, move, delete emails and...

0· 430·1 current·1 all-time
by@guyun94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements an Exchange Web Services CLI (listing, reading, sending, moving, deleting messages) which matches the name/description. However the registry metadata says "Required env vars: none" while the SKILL.md and script clearly require EWS_EMAIL and EWS_SERVER (and optionally KEYRING_CRYPTFILE_PASSWORD on headless Linux). That registry/instruction mismatch is inconsistent.
Instruction Scope
Runtime instructions are scoped to email management: installing keyring/exchangelib, storing a password in the system keyring or encrypted keyring, and running the script to list/read/send/modify mail. The script reads/writes an on-disk cache (~/.openclaw/.ews-mail-cache.json) and uses the system keyring; it does not contact unexpected external endpoints beyond the Exchange server.
Install Mechanism
This is instruction-only with one included Python script; required Python packages are standard (keyring, exchangelib, optional keyrings.alt). No remote downloads or obscure install URLs are used.
!
Credentials
Declared primaryEnv is EWS_EMAIL (appropriate). But SKILL.md and the script also require EWS_SERVER and may require KEYRING_CRYPTFILE_PASSWORD on headless Linux; these were not listed in the top-level 'Required env vars'. The script explicitly avoids storing the EWS password in env/config and instead uses the keyring, which is good, but you should confirm where KEYRING_CRYPTFILE_PASSWORD will be stored (env or config) because that master password protects the encrypted keyring file.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. It stores a local cache (~/.openclaw/.ews-mail-cache.json) and uses the system keyring; it does not modify other skills or system-wide agent settings.
What to consider before installing
This skill appears to be a legitimate EWS email CLI, but exercise caution before installing from an unknown source: 1) Verify and reconcile the env var requirements: set EWS_SERVER and EWS_EMAIL as documented (and KEYRING_CRYPTFILE_PASSWORD on headless Linux) — the registry entry omitted those. 2) Inspect the full script yourself (or run it in an isolated environment) since the package has no homepage and an unknown owner. 3) Be aware it will store an encrypted password via your system keyring (or an AES-encrypted keyring file if headless); protect the KEYRING_CRYPTFILE_PASSWORD and avoid putting it in world-readable config. 4) Note the script writes a cache at ~/.openclaw/.ews-mail-cache.json — protect that file. 5) If you need higher assurance, run the tool in a sandboxed account/container or ask the publisher for a verifiable source (homepage or signed release) before granting access to your mailbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ax61yfdnb400r0s2mn0811x82kehh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis
Binspython3
Primary envEWS_EMAIL

Comments