ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

腾讯企业邮箱/qqexmail

v1.0.0

通过 IMAP/SMTP 收发腾讯企业邮箱(exmail.qq.com)邮件。支持发送邮件、收取邮件列表、获取邮件正文。凭证从环境变量读取。

0· 99·0 current·0 all-time
by@hunger09

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hunger09/qqexmail.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "腾讯企业邮箱/qqexmail" (hunger09/qqexmail) from ClawHub.
Skill page: https://clawhub.ai/hunger09/qqexmail
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install qqexmail

ClawHub CLI

Package manager switcher

npx clawhub@latest install qqexmail
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (Tencent exmail IMAP/SMTP client) matches the included code (send.js, receive.js, get-body.js) and npm dependencies (imap, mailparser, nodemailer). However the registry metadata claims no required env vars or binaries while the code requires Node.js and two environment variables (EXMAIL_ACCOUNT and EXMAIL_AUTH_CODE). This metadata mismatch is inconsistent and could mislead users about what the skill will access.
!
Instruction Scope
SKILL.md describes expected behaviour and the code implements sending, listing, and fetching bodies and only connects to exmail.qq.com servers. However: (1) SKILL.md advertises a --days option for receive.js but the receive.js implementation parses --days but does not apply it (unused variable) — a functional mismatch; (2) get-body.js expects a UID from receive.js but uses imap.fetch([uid], ...) without explicitly using UID-mode, which may make fetching by UID unreliable (implementation bug/race); (3) get-body.js uses a fixed short timeout to wait for parsing to finish (racy). There are no calls to unexpected external endpoints, but the code reads sensitive environment variables (as advertised).
Install Mechanism
There is no remote download/install step in the skill package (no URL downloads). The package includes package.json and a package-lock, and SKILL.md instructs to run npm install and node scripts — a standard, low-risk Node.js workflow. Dependencies are common email/parsing libraries from the npm registry (imap, mailparser, nodemailer).
!
Credentials
The code requires two sensitive environment variables (EXMAIL_ACCOUNT and EXMAIL_AUTH_CODE), which are exactly what an IMAP/SMTP client needs — so the variables themselves are proportionate. The problem is the registry metadata/manifest declares "Required env vars: none" and "Primary credential: none", which is incorrect and misleading. Also note EXMAIL_AUTH_CODE is a highly sensitive credential (email access) — grant only to trusted code and rotate if exposed.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges. always:false and default invocation settings are used. The code does not modify other skills or system-wide settings and does not write persistent credentials to disk. Autonomous agent invocation is enabled by default (not flagged alone), so be cautious about giving an agent email creds as it could send/read mail autonomously.
What to consider before installing
This skill appears to implement the advertised Tencent Exmail IMAP/SMTP features, but there are important caveats: (1) the registry metadata incorrectly claims no required env vars or binaries — the scripts need Node.js and two environment variables (EXMAIL_ACCOUNT and EXMAIL_AUTH_CODE); (2) SKILL.md mentions a --days option but receive.js does not implement it; get-body.js may not reliably fetch by UID due to how the IMAP fetch is called and uses a short timeout — these are functional bugs, not obvious malicious behavior; (3) send.js disables strict TLS verification (tls.rejectUnauthorized: false), which reduces TLS checks (may be needed in some setups but weakens security); (4) EXMAIL_AUTH_CODE grants full mailbox access — do not store it in code or public repos and rotate it if exposed. Before installing: review the code yourself (or have a developer review) and only provide credentials in a controlled environment; prefer running the scripts locally rather than giving these env vars to an autonomous agent you don't fully control. If you plan to trust this skill broadly, ask the author to correct metadata, implement the --days option (or update docs), and address the get-body UID correctness and timeout handling.
scripts/get-body.js:4
Environment variable access combined with network send.
scripts/receive.js:4
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk974kzbzwmh3mtqd0yfgrnz9qd83mz62
99downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@hunger09
latest
Download

何时使用

用户要使用 腾讯企业邮箱(exmail.qq.com)发邮件收邮件查邮件时使用本 skill。

凭证(环境变量)

变量说明
EXMAIL_ACCOUNT腾讯企业邮箱账号(完整地址,如 name@company.com
EXMAIL_AUTH_CODE腾讯企业邮箱授权码(在腾讯企业邮箱「设置 → 账户 → 账户安全」中生成,非邮箱登录密码;勿提交到仓库)

脚本会校验,缺失时报错并退出。

腾讯企业邮箱服务器

  • IMAPimap.exmail.qq.com,端口 993(SSL)
  • SMTPsmtp.exmail.qq.com,端口 465(SSL)

脚本

脚本作用
scripts/send.js从环境变量读凭证,用 nodemailer 连接腾讯企业邮箱 SMTP 发信;支持收件人、主题、正文(CLI 参数)。
scripts/receive.js从环境变量读凭证,用 imap + mailparser 连接腾讯企业邮箱 IMAP 收信;支持「最近 N 条」或「最近 N 天」,输出主题、发件人、日期、UID、正文摘要。
scripts/get-body.jsUID 获取指定邮件的完整正文(纯文本,无摘要截断)。必须传入 --uid(值为收信列表中的 UID)。

发信流程

在 skill 根目录下执行(需已 npm install):

node scripts/send.js <收件人> <主题> <正文>

正文若含空格,请用引号包裹;或只传收件人和主题,正文从 stdin 读入(见脚本 --stdin)。

示例

node scripts/send.js "recipient@example.com" "测试主题" "邮件正文内容"

收信流程

# 收取最近 10 条(默认)
node scripts/receive.js

# 收取最近 N 条
node scripts/receive.js --limit 20

# 收取最近 N 天的邮件(如 7、30、90)
node scripts/receive.js --days 7

输出:每封邮件的主题、发件人、日期、UID(收件箱内唯一标识,用于按 UID 取正文)、正文摘要(前约 200 字),便于查看。

获取邮件正文

需要某封邮件的完整正文时,使用 get-body.js,传入收信列表中该邮件的 UID

node scripts/get-body.js --uid 12345

未传 --uid 时会提示并退出。UID 与收件箱绑定,邮件移动或删除后可能失效。

  • 输出:完整正文输出到 stdout(纯文本;若原邮件仅有 HTML,会做简单去标签后输出)。可重定向到文件或管道给其它命令。
  • 环境变量:与收信相同,需 EXMAIL_ACCOUNTEXMAIL_AUTH_CODE

可选能力

  • 收取时间范围:通过 --days 7 / --days 30 / --days 90 使用 IMAP SINCE 条件。
  • 收取「我的文件夹」:当前脚本默认 INBOX;若需自定义文件夹,可扩展脚本中的 openBox

安全提醒

  • 腾讯企业邮箱授权码需在「设置 → 客户端设置」中开启 IMAP/SMTP 服务后生成,与邮箱登录密码不同,不要混淆。
  • 不要将 EXMAIL_ACCOUNTEXMAIL_AUTH_CODE 的真实值写入代码或提交到仓库;仅通过环境变量或本地 .env 配置。

Comments

Loading comments...