← Back to Skills Marketplace

Email Summary

Name: Email Summary
Author: linzmin

by linzmin · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

154

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install qq-email-summary

Description

邮件摘要技能 - 自动获取并摘要每日邮件（QQ 邮箱）

Usage Guidance

Do not install or run this skill as-is. Before proceeding: 1) Remove the committed config/email-config.json and data/emails.json from the package — they contain a real-looking email address and an IMAP auth code and a large mailbox dump. Treat those as leaked secrets; if they are yours, immediately rotate the authorization code. 2) Replace the config file with a template (config.example.json) and enter your credentials locally only when prompted by setup. 3) Inspect the default WEIXIN_CHANNEL/ACCOUNT/USER_ID values — replace them with your own or unset them so messages are not pushed to a third party. 4) Review use of execSync/openclaw CLI: ensure the openclaw messaging endpoint/account is trusted, and run the scripts in an isolated environment first. 5) If you cannot verify why the repo included real credentials/emails, consider the package untrusted and avoid running it; request a clean release (no credentials/data) from the author or use an alternative implementation.

Capability Analysis

Type: OpenClaw Skill Name: qq-email-summary Version: 1.0.0 The skill bundle exhibits high-risk behavior and significant data leakage, likely due to extreme developer negligence or a 'phone home' data collection strategy. Most critically, 'scripts/summarize-emails.js' contains a hardcoded default WeChat USER_ID ('[email protected]') which causes user email summaries to be exfiltrated to the author if environment variables are not configured. Furthermore, the bundle improperly includes a live 'config/email-config.json' file containing a plaintext QQ email address and IMAP authorization code, alongside 'data/emails.json' which contains over 1,600 private email headers. While the inclusion of the author's own credentials suggests a lack of hygiene rather than targeted malice, the hardcoded reporting sink remains a significant security risk.

Capability Assessment

⚠ Purpose & Capability

The skill's name/description (QQ email summary) align with the scripts (IMAP fetch, classify, summarize, push to Weixin). However the repository contains a committed config/email-config.json with a populated authCode and email address and a large data/emails.json with many real-looking emails. A mailbox-summary skill should ship example/config templates (config.example.json) — not a real credentials-bearing config and a full mailbox dump. Including these sensitive artifacts is disproportionate to the stated purpose and likely a privacy/credential leak.

ℹ Instruction Scope

SKILL.md instructs the agent to run setup, fetch, summarize and optionally add a cron — all within expected scope. The summarize script invokes an external CLI (openclaw message send) via execSync to push the summary to Weixin; that is consistent with the documented 'WeChat push' feature but it builds a shell command with generated content (moderate command-construction risk). The instructions warn not to commit config, yet the repo contains committed config and data (contradiction).

✓ Install Mechanism

No install spec; Node scripts and dependencies are included in package.json/package-lock.json. No third-party download URLs or extract/install steps are present. This is low risk from an install mechanism POV.

⚠ Credentials

The skill declares no required environment variables but uses optional WEIXIN_* env vars and hard-coded default CHANNEL/ACCOUNT/USER_ID values inside summarize-emails.js. Those defaults appear to target a specific Weixin account/recipient and could cause messages to be sent externally without the user configuring their own account. More importantly, the repository already contains an authCode in config/email-config.json — a clear mismatch: the skill both bundles sensitive credentials and also expects the user to provide them interactively. Bundled credentials/data are unjustified.

✓ Persistence & Privilege

always is false and scripts only create/modify files under the skill's own config/data/reports directories. The setup script writes its own config file and (temporarily) a test script; it does not modify other skills or system-wide settings. No elevated persistence privileges are requested.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install qq-email-summary
After installation, invoke the skill by name or use /qq-email-summary
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release – 自动获取与摘要 QQ 邮箱邮件。 - 支持 QQ 邮箱 IMAP 自动获取邮件 - 智能分类：重要、普通、推广、垃圾 - 每日邮件摘要生成并支持微信推送 - 配置向导及自动定时任务 - 命令行工具：邮箱配置、邮件获取、摘要生成、连接测试

Metadata

Slug qq-email-summary

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Email Summary?

邮件摘要技能 - 自动获取并摘要每日邮件（QQ 邮箱）. It is an AI Agent Skill for Claude Code / OpenClaw, with 154 downloads so far.

How do I install Email Summary?

Run "/install qq-email-summary" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Email Summary free?

Yes, Email Summary is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Email Summary support?

Email Summary is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Email Summary?

It is built and maintained by linzmin (@linzmin); the current version is v1.0.0.

More Skills