基于163邮箱SMTP发送邮件功能
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: email163 Version: 1.0.0 The skill bundle provides a Go-based utility for sending emails via 163.com, but it contains a significant security vulnerability in `scripts/main.go` where `InsecureSkipVerify: true` is used, disabling TLS certificate validation and exposing credentials to Man-in-the-Middle (MITM) attacks. Additionally, the source code includes an unused function `Get163EmailInfo` containing specific templates for 'SDK Permit Applications,' suggesting the code may have been repurposed from another context without proper cleanup. While no clear malicious intent or exfiltration logic was found, the combination of weak transport security and vestigial code warrants a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network attacker who can intercept the connection could impersonate the SMTP server and capture the email authorization code or message content.
The tool reads the 163 SMTP authorization code from the environment and then authenticates over a TLS connection that explicitly skips certificate verification.
emailPassword := os.Getenv("EMAIL163_PASSWORD") ... tlsConfig := &tls.Config{ InsecureSkipVerify: true, ServerName: smtpHost }Do not use this with a real authorization code until TLS verification is fixed; remove InsecureSkipVerify or set it to false, rely on normal certificate validation, and rotate any authorization code already used.
Copies of sent email details may remain on disk and could be read later by other local processes, backups, or users with file access.
The default log path is the current directory, and each send appends a local log entry containing recipient, subject, truncated message content, and result.
var logPath = flag.String("log", "./", "日志文件保存路径(可选)") ... 邮件内容: %s ... os.OpenFile(logFilePath, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644)Use a protected log directory, avoid sending highly sensitive content through this tool unless logging is acceptable, and consider adding an explicit no-log option or stricter file permissions.
If invoked without clear approval, the agent could create irreversible outgoing email activity from the user's account.
The skill supports sending outbound email, including multi-recipient messages, from the user's configured 163 account.
email163 --subject "群发邮件" --info "内容" --to user1@example.com,user2@example.com,user3@example.com
Require explicit user confirmation of recipients, subject, and body before sending any email.