ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

China Telecom Mail

v1.0.0

Send and receive emails via China Telecom (POP3:995, SMTP:465). Lists today's emails, reads content, forwards emails, and sends new emails.

0· 43·1 current·1 all-time
by@williamwang-wh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (China Telecom mail via POP3/SMTP) matches the code and instructions: the script connects to pop.chinatelecom.cn:995 and smtp.chinatelecom.cn:465 and implements list/read/send/forward functionality. Required binaries (python, uv) correspond to the documented usage.
Instruction Scope
Runtime instructions stay within the stated purpose (copy skill, edit config.toml, run commands). One minor inconsistency: README claims support for environment-variable configuration, but load_config() only reads config.toml (no environment-variable parsing was found in the provided source). Also the provided main.py content is truncated in the listing, so the final forwarding logic and any remaining behavior should be reviewed in the full file.
Install Mechanism
No install/download steps or remote installers are included; the skill is distributed as files to copy into the skills directory. This has low install risk because nothing is pulled from external URLs.
Credentials
The skill requires storing your China Telecom email username/password in config.toml (expected for an IMAP/POP3 client). No unrelated credentials or environment variables are requested. Credentials are stored locally in the skill directory (user-provided), which is normal but requires safe handling.
Persistence & Privilege
The skill does not request elevated platform privileges and is not always-enabled. It runs only when invoked; autonomous invocation is allowed by default on the platform but is not combined here with excessive privileges.
Assessment
This skill appears to be a simple China Telecom POP3/SMTP client and is coherent with its description, but before installing: 1) Inspect the full main.py file (the provided listing was truncated) to confirm there is no hidden network activity or unexpected data uploads. 2) Store credentials securely: use an app-specific password or authorization code (if China Telecom supports it) and set config.toml file permissions so others can't read it; do not commit it to version control. 3) Note README mentions environment-variable support that the code does not appear to implement—verify how you want to supply credentials. 4) If you are concerned about risk, run the skill in an isolated environment (container or VM) the first time and monitor network connections. 5) If you need stronger guarantees, prefer a client that supports token-based auth (OAuth) or official libraries from the service provider.

Like a lobster shell, security has layers — review code before you run it.

latestvk970230nx5x47h5mmb9jp33zfx83wr60

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis
Binsuv, python

Comments