Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SZZG007 Email Business Manager
v1.0.0统一管理跨境电商多业务线邮箱,自动分类客户邮件,提取沟通历史,生成多语言智能回复建议。
⭐ 0· 52·0 current·0 all-time
by@szzg007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (manage and classify business emails, extract history, suggest replies) is plausible. However the published registry metadata lists no required env vars or install, while SKILL.md explicitly documents EMAIL_USER/EMAIL_PASSWORD, storage paths, and local scripts — a contradiction. Also SKILL.md lists an SMTP host/port (smtp.exmail.qq.com:465) but the skill's stated features require reading mailboxes (IMAP/POP) rather than only sending mail, which indicates a technical mismatch.
Instruction Scope
SKILL.md instructs the agent to access mailbox data, read/write local workspace paths (~/.openclaw/...), and run or rely on scripts (classify.py, history.py, reply.py, sync.py) that are referenced but not included. Instructions do not specify where processing happens (local vs remote) or how authentication is performed, and they require handling of sensitive message contents — all of which expand the agent's runtime scope beyond what the registry metadata declares.
Install Mechanism
There is no install specification (instruction-only), which lowers installation risk. However SKILL.md assumes a workspace layout and local scripts/templates that are not bundled. That gap is a coherence issue: either an installer/repo is missing or the skill expects existing files on disk.
Credentials
Although the registry lists no required env vars, SKILL.md asks the user to set EMAIL_USER and EMAIL_PASSWORD (sensitive credentials), storage paths, and business-line config. Requesting mailbox credentials is proportionate to an email manager only if the skill legitimately needs mailbox access — but the skill fails to specify required protocol (IMAP vs SMTP) and does not justify why full mailbox credentials (rather than scoped/app-specific tokens or read-only access) are needed. This mismatch increases risk of credential exposure.
Persistence & Privilege
The skill does not request always:true and does not include an install that claims persistent system-level changes, which is good. However the SKILL.md suggests the skill will store email data and credentials under a workspace path and integrate with other internal skills — combining autonomous invocation (platform default) with access to emails and local storage is a higher blast radius. No explicit modification of other skills' configs is described.
Scan Findings in Context
[no_regex_findings] expected: Scanner had no code to analyze (instruction-only SKILL.md). That's expected but means static rules offer little signal — evaluate SKILL.md content instead.
What to consider before installing
Do not supply your real mailbox password or place the skill's suggested credentials into your environment until you verify the source. Specific things to verify with the author or publisher before installing or using: 1) Provide a trusted repository or release (source code) that contains the referenced scripts and templates; 2) Explain exactly how mail access is performed (IMAP/POP read-only vs SMTP only), and prefer scoped/read-only or app-specific tokens rather than full account passwords; 3) Clarify where processing occurs (locally on your machine, inside the agent runtime, or on a remote server) and how data is transmitted or stored; 4) Fix the SMTP vs IMAP mismatch in the docs; 5) If you must test, do so in a safe sandbox account with no sensitive customers and with minimal privileges. Given the missing files and the sensitive env var guidance inside SKILL.md, treat this skill as untrusted until the above are resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk97akr0rfs9c59m1snhxs61d9184vy2h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.