ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Email Summary

邮件摘要技能 - 自动获取并摘要每日邮件(QQ 邮箱)

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 45 · 0 current installs · 0 all-time installs
by@linzmin
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's name/description (QQ email summary) align with the scripts (IMAP fetch, classify, summarize, push to Weixin). However the repository contains a committed config/email-config.json with a populated authCode and email address and a large data/emails.json with many real-looking emails. A mailbox-summary skill should ship example/config templates (config.example.json) — not a real credentials-bearing config and a full mailbox dump. Including these sensitive artifacts is disproportionate to the stated purpose and likely a privacy/credential leak.
Instruction Scope
SKILL.md instructs the agent to run setup, fetch, summarize and optionally add a cron — all within expected scope. The summarize script invokes an external CLI (openclaw message send) via execSync to push the summary to Weixin; that is consistent with the documented 'WeChat push' feature but it builds a shell command with generated content (moderate command-construction risk). The instructions warn not to commit config, yet the repo contains committed config and data (contradiction).
Install Mechanism
No install spec; Node scripts and dependencies are included in package.json/package-lock.json. No third-party download URLs or extract/install steps are present. This is low risk from an install mechanism POV.
!
Credentials
The skill declares no required environment variables but uses optional WEIXIN_* env vars and hard-coded default CHANNEL/ACCOUNT/USER_ID values inside summarize-emails.js. Those defaults appear to target a specific Weixin account/recipient and could cause messages to be sent externally without the user configuring their own account. More importantly, the repository already contains an authCode in config/email-config.json — a clear mismatch: the skill both bundles sensitive credentials and also expects the user to provide them interactively. Bundled credentials/data are unjustified.
Persistence & Privilege
always is false and scripts only create/modify files under the skill's own config/data/reports directories. The setup script writes its own config file and (temporarily) a test script; it does not modify other skills or system-wide settings. No elevated persistence privileges are requested.
Scan Findings in Context
[base64-block] unexpected: The pre-scan flagged a base64-block pattern. SKILL.md itself does not include an obvious base64 payload, but data/emails.json contains multiple encoded/quoted subject lines (=?utf-8?B?...?=) which may have triggered the heuristic. This finding is not expected for a benign README/instructions and deserves manual inspection of any encoded payloads in the included data files.
What to consider before installing
Do not install or run this skill as-is. Before proceeding: 1) Remove the committed config/email-config.json and data/emails.json from the package — they contain a real-looking email address and an IMAP auth code and a large mailbox dump. Treat those as leaked secrets; if they are yours, immediately rotate the authorization code. 2) Replace the config file with a template (config.example.json) and enter your credentials locally only when prompted by setup. 3) Inspect the default WEIXIN_CHANNEL/ACCOUNT/USER_ID values — replace them with your own or unset them so messages are not pushed to a third party. 4) Review use of execSync/openclaw CLI: ensure the openclaw messaging endpoint/account is trusted, and run the scripts in an isolated environment first. 5) If you cannot verify why the repo included real credentials/emails, consider the package untrusted and avoid running it; request a clean release (no credentials/data) from the author or use an alternative implementation.
scripts/setup-qq-email.js:108
Shell command execution detected (child_process).
scripts/summarize-emails.js:106
Shell command execution detected (child_process).
scripts/summarize-emails.js:15
Environment variable access combined with network send.
!
scripts/fetch-emails.js:21
File read combined with network send (possible exfiltration).
!
scripts/summarize-emails.js:24
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975048vzct9ssvkn98td74rn983n4gy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

邮件摘要技能

📧 你的私人邮件秘书,让处理邮件更高效!

🎯 功能特性

  • ✅ QQ 邮箱 IMAP 自动获取
  • ✅ 智能分类(重要/普通/推广/垃圾)
  • ✅ 每日摘要生成
  • ✅ 微信推送摘要
  • ✅ 自动定时任务

🚀 快速开始

1. 配置 QQ 邮箱

./scripts/setup-qq-email.js

按提示输入:

  • QQ 邮箱地址
  • IMAP 授权码

2. 获取邮件

./scripts/fetch-emails.js

3. 生成摘要

./scripts/summarize-emails.js --save --send

📋 命令详解

配置邮箱 setup-qq-email.js

./scripts/setup-qq-email.js

交互式配置向导,自动测试连接。

获取邮件 fetch-emails.js

# 获取最近 50 封邮件
./scripts/fetch-emails.js

生成摘要 summarize-emails.js

# 预览
./scripts/summarize-emails.js

# 保存并发送
./scripts/summarize-emails.js --save --send

测试连接 test-connection.js

./scripts/test-connection.js

📁 文件结构

email-summary/
├── scripts/
│   ├── setup-qq-email.js      # 配置向导
│   ├── fetch-emails.js        # 获取邮件
│   ├── summarize-emails.js    # 生成摘要
│   └── test-connection.js     # 测试连接
├── config/
│   └── email-config.json      # 邮箱配置(敏感!)
├── data/
│   └── emails.json            # 邮件数据
├── reports/                   # 生成的摘要
└── tests/                     # 测试脚本

🔧 QQ 邮箱配置

开启 IMAP/SMTP

  1. 登录 https://mail.qq.com
  2. 点击"设置" → "账户"
  3. 开启"IMAP/SMTP 服务"
  4. 生成授权码

配置参数

{
  "email": {
    "provider": "qq",
    "address": "YOUR_QQ@qq.com",
    "imap": {
      "host": "imap.qq.com",
      "port": 993,
      "tls": true
    }
  }
}

📊 邮件分类规则

分类关键词
重要urgent, important, 紧急,重要,会议,report
推广promo, discount, 优惠,促销,订阅,营销
垃圾发票,代开,赌博,彩票
普通其他

⏰ 定时任务

安装时可选择添加 cron 任务,每天 20:00 自动获取并发送摘要:

0 20 * * * /path/to/fetch-emails.js && /path/to/summarize-emails.js --send

🔒 安全说明

  • 配置文件 config/email-config.json 包含敏感信息
  • 文件权限已设置为 600(仅所有者可读写)
  • 不要将配置文件提交到 Git
  • 授权码泄露可重新生成

❓ 常见问题

Q: 授权码是什么?

A: QQ 邮箱生成的专用密码,不是 QQ 登录密码。在"设置→账户"中生成。

Q: 连接失败怎么办?

A: 检查:

  1. IMAP/SMTP 服务是否开启
  2. 授权码是否正确
  3. 网络连接是否正常

运行 ./scripts/test-connection.js 测试连接。

Q: 支持其他邮箱吗?

A: 目前只支持 QQ 邮箱。Gmail/Outlook/163 等支持计划中。

📝 更新日志

v1.0.0 (2026-03-26)

  • ✅ QQ 邮箱 IMAP 集成
  • ✅ 邮件获取和分类
  • ✅ 摘要生成
  • ✅ 微信推送
  • ✅ 配置向导

🦆 作者

鸭鸭 (Yaya) - 你的私人邮件秘书

📄 许可证

MIT-0 License

Files

12 total
Select a file
Select a file to preview.

Comments

Loading comments…