← Back to Skills Marketplace
105
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install qqexmail
Description
通过 IMAP/SMTP 收发腾讯企业邮箱(exmail.qq.com)邮件。支持发送邮件、收取邮件列表、获取邮件正文。凭证从环境变量读取。
Usage Guidance
This skill appears to implement the advertised Tencent Exmail IMAP/SMTP features, but there are important caveats: (1) the registry metadata incorrectly claims no required env vars or binaries — the scripts need Node.js and two environment variables (EXMAIL_ACCOUNT and EXMAIL_AUTH_CODE); (2) SKILL.md mentions a --days option but receive.js does not implement it; get-body.js may not reliably fetch by UID due to how the IMAP fetch is called and uses a short timeout — these are functional bugs, not obvious malicious behavior; (3) send.js disables strict TLS verification (tls.rejectUnauthorized: false), which reduces TLS checks (may be needed in some setups but weakens security); (4) EXMAIL_AUTH_CODE grants full mailbox access — do not store it in code or public repos and rotate it if exposed. Before installing: review the code yourself (or have a developer review) and only provide credentials in a controlled environment; prefer running the scripts locally rather than giving these env vars to an autonomous agent you don't fully control. If you plan to trust this skill broadly, ask the author to correct metadata, implement the --days option (or update docs), and address the get-body UID correctness and timeout handling.
Capability Analysis
Type: OpenClaw Skill
Name: qqexmail
Version: 1.0.0
The skill provides legitimate functionality for managing Tencent Enterprise Email via IMAP and SMTP, but it contains a significant security vulnerability. Specifically, `scripts/send.js` explicitly disables TLS certificate validation (`rejectUnauthorized: false`), which exposes the SMTP connection to Man-in-the-Middle (MITM) attacks. While the code logic aligns with the stated purpose and shows no evidence of intentional malice or data exfiltration, the prompt instructions require classifying such vulnerabilities as suspicious.
Capability Assessment
Purpose & Capability
The skill's name/description (Tencent exmail IMAP/SMTP client) matches the included code (send.js, receive.js, get-body.js) and npm dependencies (imap, mailparser, nodemailer). However the registry metadata claims no required env vars or binaries while the code requires Node.js and two environment variables (EXMAIL_ACCOUNT and EXMAIL_AUTH_CODE). This metadata mismatch is inconsistent and could mislead users about what the skill will access.
Instruction Scope
SKILL.md describes expected behaviour and the code implements sending, listing, and fetching bodies and only connects to exmail.qq.com servers. However: (1) SKILL.md advertises a --days option for receive.js but the receive.js implementation parses --days but does not apply it (unused variable) — a functional mismatch; (2) get-body.js expects a UID from receive.js but uses imap.fetch([uid], ...) without explicitly using UID-mode, which may make fetching by UID unreliable (implementation bug/race); (3) get-body.js uses a fixed short timeout to wait for parsing to finish (racy). There are no calls to unexpected external endpoints, but the code reads sensitive environment variables (as advertised).
Install Mechanism
There is no remote download/install step in the skill package (no URL downloads). The package includes package.json and a package-lock, and SKILL.md instructs to run npm install and node scripts — a standard, low-risk Node.js workflow. Dependencies are common email/parsing libraries from the npm registry (imap, mailparser, nodemailer).
Credentials
The code requires two sensitive environment variables (EXMAIL_ACCOUNT and EXMAIL_AUTH_CODE), which are exactly what an IMAP/SMTP client needs — so the variables themselves are proportionate. The problem is the registry metadata/manifest declares "Required env vars: none" and "Primary credential: none", which is incorrect and misleading. Also note EXMAIL_AUTH_CODE is a highly sensitive credential (email access) — grant only to trusted code and rotate if exposed.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges. always:false and default invocation settings are used. The code does not modify other skills or system-wide settings and does not write persistent credentials to disk. Autonomous agent invocation is enabled by default (not flagged alone), so be cautious about giving an agent email creds as it could send/read mail autonomously.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install qqexmail - After installation, invoke the skill by name or use
/qqexmail - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of 腾讯企业邮箱 skill:
- Send, receive, and read emails from exmail.qq.com via IMAP/SMTP using Node.js scripts.
- Credentials (account and authorization code) are read from environment variables.
- Includes scripts for sending (`send.js`), receiving (`receive.js`), and fetching full email body by UID (`get-body.js`).
- Supports fetching recent N messages or messages from the last N days, with convenient CLI options.
- Output includes subject, sender, date, UID, and content summary. Full plain-text body available by UID.
- Security best practices: never commit credentials; use authorization code, not login password.
Metadata
Frequently Asked Questions
What is 腾讯企业邮箱/qqexmail?
通过 IMAP/SMTP 收发腾讯企业邮箱(exmail.qq.com)邮件。支持发送邮件、收取邮件列表、获取邮件正文。凭证从环境变量读取。 It is an AI Agent Skill for Claude Code / OpenClaw, with 105 downloads so far.
How do I install 腾讯企业邮箱/qqexmail?
Run "/install qqexmail" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is 腾讯企业邮箱/qqexmail free?
Yes, 腾讯企业邮箱/qqexmail is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does 腾讯企业邮箱/qqexmail support?
腾讯企业邮箱/qqexmail is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created 腾讯企业邮箱/qqexmail?
It is built and maintained by hunger09 (@hunger09); the current version is v1.0.0.
More Skills