eml to sqlite indexer
v7.0.1Indexes EML emails into an SQLite database, providing a web interface for searching, management, Excel export, and file deletion, with IP access control and...
⭐ 0· 93·0 current·0 all-time
bywilliam@williamfromtw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (index EML into SQLite, provide web search, export, deletion, backups) match the provided files (indexer.py for indexing; app.py for Flask UI, search, export, deletion, scheduled backup). No unrelated environment variables, binaries, or external services are requested.
Instruction Scope
SKILL.md and the code instruct the agent/user to index local EML files, run a Flask web app, create/serve backups, and allow admin-triggered physical file deletion. These behaviors are within the stated purpose, but file-deletion and import/restore functionality have security/operational impact (see details below). The app does not attempt outbound network exfiltration or read unrelated system credentials.
Install Mechanism
No install spec; the project is instruction-and-code only and uses standard Python libraries listed in requirements.txt (Flask, tqdm). This is proportionate for a Python Flask application and minimizes install-time risk.
Credentials
No environment variables or external service credentials are requested; configuration is handled via local config.json. The requested resources are proportional to the stated purpose.
Persistence & Privilege
The app launches a background thread that performs scheduled backups while the server runs; this is consistent with the described scheduled-backup feature. The skill does not request forced-permanent inclusion (always:true) or modify other skills. Note that running the app grants it persistent local disk write access for backups and the database while it runs.
Assessment
This package appears to do what it claims, but treat it as high-impact tooling and do not run it on untrusted hosts or exposed servers without changes. Before installing/running: 1) Change the default admin password in config.json (default is 'change_me_now'). 2) Restrict allowed_ips to only the hosts that must access the UI (do not include broad network ranges). 3) Run the web app only on a trusted host (or inside an isolated container/VM) because it reads and can delete local files and writes backups to disk. 4) Review and test the delete/restore behavior: the code deletes the DB record before attempting file removal and uses simple checks ('..' and .eml suffix) which may be insufficient for all path-traversal or symlink scenarios—consider hardening path validation and restricting deletion to known mail directories. 5) Protect backups (encrypt or move to secure storage) if they contain sensitive content. 6) If you must expose the UI remotely, add transport security (TLS), strong authentication, and audit logging. If you want, I can list exact code lines to change to harden deletion, authentication, and backup handling.Like a lobster shell, security has layers — review code before you run it.
latestvk9702f814ywrfzy8fs1zfcfyds83xe29
License
MIT-0
Free to use, modify, and redistribute. No attribution required.