ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

goverment bidding email

政府采购商机专用推报工具。根据商机数据自动生成 Excel 并通过 SMTP 发送邮件。当用户说"govb-email"、"政府采购商机邮件"、"推送政府采购商机"、"政采商机通报"时触发。注意:这不是通用邮件客户端,仅用于执行 govb 业务逻辑。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 25 · 0 current installs · 0 all-time installs
by@zhangpengle
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The stated purpose (fetch government bidding data, generate Excel, send via SMTP) matches the code: fetcher.py builds reports and sends mail via SMTP and config.py reads EMAIL_* settings. However registry metadata omitted the many required EMAIL_* env variables and the package's pyproject does not declare the external dependency 'govb_fetcher' that fetcher.py imports. The required-bins list (govb-email, govb-fetcher) and the present code (a Python package with console entry) are partially aligned but inconsistent about how govb_fetcher is provided.
!
Instruction Scope
SKILL.md and the code instruct the agent to read .env from the current directory or ~/.config/govb-email/.env and to use SMTP credentials to send emails and attach an Excel from ~/.openclaw/workspace. These actions are within the declared purpose, but the instructions rely on externally-supplied SMTP credentials and an external module govb_fetcher. The skill asks the agent to load arbitrary .env files (cwd or home) which could contain unrelated secrets; the loader reads all key/value pairs but the code only enforces EMAIL_* keys, creating risk if misconfigured.
Install Mechanism
No registry-level install spec was provided, but SKILL.md metadata includes an 'install' hint: 'pip install -e {baseDir}', which is reasonable for a local Python package. There are no remote downloads or obscure URLs. However, pyproject.toml dependencies are minimal (only 'requests') and do not include the required govb_fetcher package — installing as-is will likely leave a missing dependency at runtime.
!
Credentials
The skill needs sensitive SMTP credentials (EMAIL_SMTP_USER, EMAIL_SMTP_PASSWORD) and email addresses to operate; that is appropriate for an email-sending tool. The problem: the registry metadata declared no required env vars, while SKILL.md and the code require many EMAIL_* variables. This mismatch is a configuration/metadata coherence issue that could cause accidental credential exposure or execution failure if the user is not warned. The code loads .env files from cwd or home, so if a user has other secrets in those files they might be read into memory (though not explicitly transmitted elsewhere by this code).
Persistence & Privilege
The skill does not request 'always: true' and uses normal invocation. It does not modify other skills or system-wide settings. It uses a temporary lock file to prevent concurrent runs. No elevated persistence or special privileges are requested.
What to consider before installing
This skill broadly does what it says (fetches bidding data, creates Excel, sends email via SMTP), but there are mismatches and missing dependency declarations you should resolve before installing: 1) The package requires many EMAIL_* environment variables (including SMTP username/password) but the registry metadata does not declare them — ensure you supply these in a dedicated config file and protect that file's permissions. 2) The code imports govb_fetcher.fetcher but the project does not declare or include govb_fetcher; verify where govb_fetcher comes from and that it is a trusted package before installing. 3) Because the tool reads .env from the current directory or ~/.config/govb-email/.env, check those files do not contain unrelated secrets you don't want loaded. 4) Run the tool in an isolated environment (dedicated virtualenv/container) and test sending to a safe test address before giving it real SMTP credentials or production recipients. If you need higher assurance, request the upstream source or a dependency list for govb_fetcher and confirm who maintains those projects.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.2
Download zip
latestvk975zxvyxhq6r52857gez8j2nd83zx3v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis
Binsgovb-email, govb-fetcher

SKILL.md

Govb Email

自动抓取政府采购商机并发送邮件报告。

环境变量要求

该技能必须在 .env 中配置以下核心参数才能激活:

  • EMAIL_TO, EMAIL_CC, EMAIL_FROM: 收发件地址
  • EMAIL_SMTP_HOST, EMAIL_SMTP_PORT: SMTP 服务器信息
  • EMAIL_SMTP_USER, EMAIL_SMTP_PASSWORD: 认证信息
  • EMAIL_SUBJECT_PREFIX, EMAIL_BODY_INTRO: 邮件模板配置
  • EMAIL_RECIPIENT_NAME, EMAIL_SENDER_NAME: 称呼和签名

快速使用

  • /govb-email → 发送昨日报告(默认)
  • /govb-email --help → 显示帮助信息
  • /govb-email --today → 发送今日报告
  • /govb-email --date 2026-03-23 → 发送指定日期报告
  • /govb-email --keywords "模型,仿真" → 使用自定义关键词筛选
  • /govb-email --to test@example.com → 测试发送至指定收件人

参数说明

参数说明默认值
无参数默认昨日启用
--today今日-
--date YYYY-MM-DD指定日期-
--keywords WORDS关键词,逗号分隔govb_fetcher 配置的默认关键词
--to ADDRESS测试发送至指定收件人.env 中的配置

数据源

  • 北京政采(zbcg-bjzc.zhongcy.com)
  • 湖南政采(ccgp-hunan.gov.cn)

触发词

发送邮件、推送报告、邮件通知、政采商机通报

配置文件

配置文件位于 ~/.config/govb-email/.env,可配置以下参数:

环境变量用途
EMAIL_TO收件人,逗号分隔
EMAIL_CC抄送人,逗号分隔
EMAIL_FROM发件人
EMAIL_RECIPIENT_NAME收件人称呼
EMAIL_SENDER_NAME发件人签名
EMAIL_SUBJECT_PREFIX邮件主题前缀
EMAIL_BODY_INTRO邮件正文开头
EMAIL_SMTP_HOSTSMTP 服务器
EMAIL_SMTP_PORTSMTP 端口
EMAIL_SMTP_USERSMTP 用户名
EMAIL_SMTP_PASSWORDSMTP 密码

创建配置文件可复制 .env.example~/.config/govb-email/.env 后修改。

技术说明

  • 使用 SMTP 直接发送邮件(配置 EMAIL_SMTP_* 环境变量)
  • 使用文件锁防止并发执行

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…