work-mail-notifier

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a coherent QQ work-mail notifier, but it uses a local mail account, stores recent mail metadata locally, and can mark selected messages as read.

Before installing, confirm that the local `himalaya` account `qq` is the intended work mailbox, the listed folders are appropriate to monitor, and you are comfortable with recent sender/subject metadata being stored in the OpenClaw workspace. Treat email bodies as untrusted content and use mark-read commands only with explicit message indices.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI03: Identity and Privilege Abuse

What this means

If installed and invoked, the agent can mark selected work emails as read using the configured QQ mail profile.

Why it was flagged

The skill uses the local `qq` mail account through Himalaya to change message read-state. This matches the stated purpose, but it is account-level mailbox authority.

Skill content

cmd = ["himalaya", "flag", "add", "--account", ACCOUNT, "--folder", folder, msg_id, "seen"]

Recommendation

Install only if the local `himalaya` account named `qq` is the intended work mailbox, and mark messages read only from explicit user-selected indices.

Low

#ASI06: Memory and Context Poisoning

What this means

Work email metadata may remain in the OpenClaw workspace data directory for later body lookup or mark-read actions.

Why it was flagged

Recent notification references are saved to `last_notification.json`, including sender, subject, date, folder, and message ID metadata.

Skill content

"from": item["from"],
"subject": item["subject"],
"date": item["date"].isoformat(),

Recommendation

Treat the workspace data files as sensitive and clear `last_notification.json` if you do not want recent mail metadata retained.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may fail or use whatever `himalaya` executable is present in the local PATH.

Why it was flagged

The script depends on an external local mail CLI, while the provided requirements declare no required binaries or install specification.

Skill content

"himalaya", "envelope", "list", "--account", ACCOUNT,

Recommendation

Verify the intended Himalaya CLI is installed and trusted, and consider declaring required binaries and Python packages such as `html2text`.

Low

#ASI01: Agent Goal Hijack

What this means

A malicious or misleading email body could contain text that tries to influence the agent or the user.

Why it was flagged

The skill prints full email body content into the agent/user context. That is expected for a mail reader, but email content is externally supplied and should not be treated as agent instructions.

Skill content

print(entry["body"])

Recommendation

Treat displayed email content as data only; do not let instructions inside emails override the user's request or safety rules.