Install
openclaw skills install mailscope-email-detection-skillMailscope Email Detection
Email security detection and analysis. Use this skill whenever the user wants to analyze, scan, or check the security of an email (.eml) file. This includes phishing detection, spoofing analysis, malicious attachment scanning, and general email threat assessment. Also use this skill when the user wants to configure their Mailscope API key (e.g. "set my api key", "configure the key", "here is my api key", "帮我配置 key"). Trigger when the user says things like "analyze this email", "check if this email is safe", "scan this .eml file", "is this phishing?", or provides a path to an .eml file and asks about its safety.
Mailscope Email Detection
Use this skill when the user wants to perform security analysis on an email (.eml) file. The skill provides a comprehensive security assessment report by uploading the file to the Mailscope analysis platform.
Language
Respond in the user's language. If they write in Chinese, reply in Chinese; if English, English. Keep technical tokens (paths, flags, field names) in English.
Workflow
Step 0: Configure API Key
When the user provides an API key (e.g., "我的 key 是 msk_xxx", "帮我配置 API Key", "set api key to msk_xxx", "这是key: msk_xxx"), write it into config.json:
- Check if
config.jsonexists in the skill root directory. If not, readconfig.json.exampleas a template and createconfig.jsonfrom it. - Read the current
config.jsonand parse it as JSON. - Set the
api_keyfield to the key the user provided. - Write the updated JSON back to
config.json(use 2-space indentation for readability). - Confirm to the user: "API Key 已配置成功。"
The user gets their API key by applying at https://x.lizhisec.com. If they ask where to get one, point them there.
Step 1: Check prerequisites
Before running the analysis, verify these conditions are met:
- Node.js 22+ is available. Check with
node --version. If not available, tell the user to install Node.js 22+. - config.json exists with a valid
api_key. If missing, guide the user through Step 0 above.
Step 2: Run the analysis script
npx tsx scripts/analyze.ts <path/to/email.eml>
The script will:
- Upload the .eml file to the analysis platform
- Poll for results every 3 seconds until analysis completes
- Display a formatted security analysis report
Step 3: Interpret results for the user
The report output is self-contained and human-readable. Key elements to help the user understand:
- 风险等级 (Risk Tier):
risky(dangerous),clean(safe), or other levels - 置信度 (Confidence): AI confidence percentage
- 身份认证 (Authentication): SPF, DKIM, DMARC results
- 域名信息 (Domain Profile): Registration date, ICP record - recently registered domains are suspicious
- AI 综合分析 (AI Analysis): Detailed threat assessment covering identity verification, behavioral patterns, intent recognition, and comprehensive judgment
If the email is flagged as risky, emphasize the recommended actions:
- Isolate the email immediately
- Block the sender domain
- Do NOT open attachments or enter passwords
- Preserve the .eml file for forensics
Error handling
Common errors and how to address them:
| Error | Cause | Solution |
|---|---|---|
| API key not configured | Missing or empty config.json | Guide user to set up config.json |
| Upload failed (HTTP 4xx) | Invalid API key | Re-apply at https://x.lizhisec.com |
| Analysis failed | Email could not be processed | Check if the .eml file is malformed |
| Analysis timeout | Platform overloaded | Wait and retry later |
| File not found | Path typo | Verify the .eml file path |
What NOT to do
- Do NOT read raw JSON from the API response and present it directly to users
- Do NOT hardcode any API keys in responses visible to the user
- Do NOT modify
config.jsonunless the user explicitly asked you to configure their API key (see Step 0) - Do NOT expose the API_BASE_URL configuration to users (internal detail)