Alimail Manager
v0.1.2提供阿里邮箱API调用能力,支持用户信息查询、邮件详情获取、邮件搜索;当用户需要查询企业邮箱用户信息、查看特定邮件内容、搜索符合条件的邮件时使用
⭐ 0· 123·0 current·0 all-time
by@vber
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required env vars (ALMAIL_APP_ID, ALMAIL_SECRET), and the npm dependency (alimail-node-sdk) line up with an AliMail API client. The scripts only call user/message/search APIs consistent with the stated capabilities.
Instruction Scope
SKILL.md instructs running the included scripts (get_user, get_message, search_messages) and to install the official SDK. The instructions do not ask the agent to read unrelated files, transmit data to unexpected endpoints, or access additional environment variables beyond the declared ALMAIL_* values. The only internal file referenced for docs is references/alimail-api.md, which documents the API.
Install Mechanism
There is no platform install spec; SKILL.md instructs installing the npm package alimail-node-sdk. That is a normal dependency for a Node.js SDK but does carry typical npm supply-chain risk — the package source/version should be verified before installing in sensitive environments.
Credentials
The skill requires only ALMAIL_APP_ID and ALMAIL_SECRET, which are exactly the credentials needed for OAuth2 client_credentials to call AliMail. No unrelated credentials or secrets are requested.
Persistence & Privilege
Skill flags are default (not always:true). It does not request persistent system privileges or modify other skills. Scripts run ad-hoc and require the SDK and environment variables; nothing indicates elevated or permanent system presence.
Assessment
This skill appears internally consistent with its stated purpose. Before installing, verify the following: (1) only provide ALMAIL_APP_ID and ALMAIL_SECRET for an app with the minimum scopes needed (prefer read-only scopes such as Mail.Read.* and User.Read.* where possible); (2) review or pin the alimail-node-sdk package/version and its source to reduce npm supply-chain risk; (3) run first in an isolated or non-production environment to confirm behavior; (4) rotate credentials if you later remove the skill; and (5) if you are uncomfortable with autonomous agent invocation, disable autonomous use for this skill until you have vetted it.Like a lobster shell, security has layers — review code before you run it.
latestvk975zeh2dp4qqrws7zncf03r2x8394xj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.