← Back to Skills Marketplace

QQ邮箱发票下载器

Name: QQ邮箱发票下载器
Author: frankfushmomentlab

by FrankFuShMomentLab · GitHub ↗ · v1.1.0 · MIT-0

cross-platform ⚠ suspicious

109

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install qq-invoice-downloader

Description

自动登录QQ邮箱，按日期搜索发票邮件，下载PDF附件和解压ZIP，过滤非发票，生成分类Excel报告。

Usage Guidance

Do not run this skill as-is. Before installing or executing: 1) Search the code and remove/replace any hard-coded EMAIL and PASSWORD values — never run code that logs into someone else's mailbox. 2) Change BASE_DIR/OUTPUT_DIR to a configurable value (env var or CLI arg) so files are written to a safe location you control. 3) Inspect send_report.py / send_report_telegram.py to see whether and where results are transmitted; if you don't want external uploads, disable or remove those parts. 4) If you must use the skill, provide your own mailbox credentials via a secure mechanism (never embed them in the repo); run in an isolated VM and with a throwaway mailbox for testing. 5) Consider running a local static secrets scan and reviewing network endpoints the code contacts. If you are unsure or cannot confidently audit the code, avoid using it or request a version that accepts credentials and paths via documented, secure configuration.

Capability Analysis

Type: OpenClaw Skill Name: qq-invoice-downloader Version: 1.1.0 The skill bundle contains multiple hardcoded sensitive credentials, including a QQ email address and IMAP authorization code ([email protected] / dcdrfqjmoczrbhdj) and a functional Telegram Bot Token (8408048074:AAHRX5vogDUKZjdf-mL4ByJ8ukihRosqFpI) found in files like browser_processor.py and send_report_telegram.py. Most critically, send_report_telegram.py is designed to exfiltrate the generated '发票目录.xlsx' (which contains sensitive financial and personal data) to the hardcoded Telegram bot. While these are presented as reporting features, the use of hardcoded destination endpoints for sensitive data in a shared skill bundle is a significant security risk and resembles data exfiltration behavior.

Capability Assessment

ℹ Purpose & Capability

The code and SKILL.md are consistent with the stated purpose (search QQ mailbox, download PDF/ZIP attachments, process and report). However multiple files hard-code a specific QQ email and password and a Windows base directory (e.g., BASE_DIR = r"Z:\OpenClaw\InvoiceOC" and EMAIL/PASSWORD constants). A user would expect to provide their own mailbox credentials and output directory; hardcoding the author's credentials and path is disproportionate and inappropriate.

⚠ Instruction Scope

SKILL.md documents running invoice_downloader_v82.py and optional MINIMAX_API_KEY use, but it does not tell users to configure mailbox credentials or the BASE_DIR. The runtime files connect to imap.qq.com, log in with the embedded credentials, fetch emails, open arbitrary links in a browser (Playwright), download files, and write to fixed disk locations. The instructions are incomplete/ambiguous and grant broad file- and network-access behavior not described in the manifest.

✓ Install Mechanism

There is no install spec (instruction-only), so nothing is automatically downloaded by the registry. The code requires runtime dependencies (playwright, imap-tools, requests, pandas) and Playwright will install browsers when used. This is expected for a browser-automation downloader and is not itself a high install risk, but the skill will execute many network and local I/O operations when run.

⚠ Credentials

The manifest declares no required environment variables, yet the code uses: hard-coded EMAIL/PASSWORD/IMAP_SERVER and hard-coded output directories. SKILL.md mentions MINIMAX_API_KEY for optional LLM fallback but the primary authentication for mailbox access is not configurable via environment variables as the user would expect. There are also files (send_report_telegram.py / send_report.py referenced) that can send results externally but the skill does not declare or document required remote tokens/webhooks — this mismatch increases the risk of unexpected data transmission.

✓ Persistence & Privilege

The skill is user-invocable and not marked always:true. It does not declare changes to other skills or global agent settings. It will run with the invoking agent's privileges and perform network and file operations, which is normal for this functionality. There is no evidence it attempts to persistently modify the agent registry or autostart itself.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install qq-invoice-downloader
After installation, invoke the skill by name or use /qq-invoice-downloader
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.1.0

v1.1: LLM增强分析 Phase 1完成，33平台selector，真实MiniMax-M2.7 API验证通过

v1.0.0

Initial release: v8.2, env vars for credentials, supports QQ email IMAP auto-login and PDF download

Metadata

Slug qq-invoice-downloader

Version 1.1.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is QQ邮箱发票下载器?

自动登录QQ邮箱，按日期搜索发票邮件，下载PDF附件和解压ZIP，过滤非发票，生成分类Excel报告。 It is an AI Agent Skill for Claude Code / OpenClaw, with 109 downloads so far.

How do I install QQ邮箱发票下载器?

Run "/install qq-invoice-downloader" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is QQ邮箱发票下载器 free?

Yes, QQ邮箱发票下载器 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does QQ邮箱发票下载器 support?

QQ邮箱发票下载器 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created QQ邮箱发票下载器?

It is built and maintained by FrankFuShMomentLab (@frankfushmomentlab); the current version is v1.1.0.

More Skills