Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
HERA Mail
v1.0.0Internal email system for HERA agents to send, receive, read, and manage direct messages with optional file attachments.
⭐ 0· 52·0 current·0 all-time
byZhaorui Wu@wzr818181
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with included scripts: list_inbox.py, read_mail.py, send_mail.py implement a local file-based mail system. The skill only performs local file I/O (read/write/copy) and does not request network access or external credentials, which is coherent with an internal mail tool.
Instruction Scope
SKILL.md instructs the agent to run the bundled scripts and describes expected directory structures, which matches the scripts. However the SKILL.md examples use placeholders like {baseDir} while the scripts hardcode an absolute base_dir (/Users/zhaoruiwu/.openclaw/workspace/hera-agents). SKILL.md also contains a metadata block requesting always: true (force inclusion). The send_mail script copies arbitrary attachment paths provided on the command line — that behavior is expected for attachments but means the skill can read any local file path you pass it (potential data access risk if misused). The docs also suggest chmod on a specific user path, leaking a developer username and encouraging use of that path.
Install Mechanism
Instruction-only skill (no install spec). No remote downloads or package installs are performed by the skill bundle itself, which limits install-time risk.
Credentials
The skill requests no environment variables or external credentials and the scripts do not read env vars. However, the scripts hardcode an absolute path under a developer home (/Users/zhaoruiwu/...), which is inflexible and reveals developer-specific context. Also, because send_mail copies arbitrary provided file paths, giving this skill access to run with your agent effectively allows it to read files you point it to.
Persistence & Privilege
Registry metadata shown to you lists always: false, but SKILL.md contains an openclaw.metadata block with "always": true. That discrepancy is important: if the platform honors the SKILL.md metadata and forces this skill always-on, it would be included in every agent run. For a file-accessing communication skill, forced always-on status increases risk and should be justified explicitly. The skill does not modify other skills or system-wide configs, but the always:true entry is a red flag unless explained.
What to consider before installing
This skill appears to implement a simple local mail system and contains no network exfiltration code, but there are coherence and risk concerns you should resolve before installing: 1) Ask the maintainer why SKILL.md sets openclaw.metadata.always = true while the registry shows always = false; never enable always:true unless you trust the source. 2) Request that the hardcoded base path (/Users/zhaoruiwu/...) be replaced with a configurable baseDir or environment variable so it won't accidentally read/write in an unexpected home directory. 3) Be aware send_mail will copy any file path you provide — avoid passing sensitive local file paths to the script and consider restricting allowable attachment directories. 4) If you proceed, run the skill in a sandboxed environment first and review/modify the scripts to use a safe, explicit data directory. If the skill's source or maintainer cannot justify the always:true setting and the hardcoded paths, treat it with caution or do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk972kj8msj5m4dqxp4vh9g0w3h83tera
License
MIT-0
Free to use, modify, and redistribute. No attribution required.