← Back to Skills Marketplace

Okki Sync Mail

Name: Okki Sync Mail
Author: cjboy007

by Jaden's built a claw · GitHub ↗ · v2.0.1 · MIT-0

cross-platform ⚠ suspicious

107

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install okki-sync-mail

Description

完整的邮件自动化解决方案，集成 OKKI CRM。支持 IMAP 邮件自动捕获、SMTP 发送邮件、dry-run 模式、发送日志、速率限制、定时发送、签名模板、邮件规则、连接池优化、邮件转发等功能。自动同步 inbound/outbound 邮件到 OKKI 创建跟进记录（remark_type=102）。

Usage Guidance

This skill mostly does what it says (IMAP/SMTP + OKKI), but take these concrete precautions before installing or providing credentials: - Audit the following files first: discord-review.js, auto-capture.js, scripts/smtp.js, scripts/imap.js, and any files that call child_process.exec/execSync. They handle external network calls and spawn other programs. - Do NOT place global or agent-level secrets in a parent .env. The code attempts to load ../../.env (discord-review.js); supply only a skill-local .env in the skill folder to avoid accidental leakage. - If you don't intend to use Discord review, do not set DISCORD_BOT_TOKEN or configure Discord; otherwise the skill will send email drafts/content to discord.com. The skill does not list DISCORD_BOT_TOKEN in its declared env requirements — this is an undeclared external endpoint. - Run the skill in an isolated/test environment first (use a disposable mailbox and disposable OKKI test credentials). Confirm that --dry-run works and that real sends are blocked until you explicitly approve. - Because the skill spawns python scripts using paths you supply (OKKI_CLI_PATH, VECTOR_SEARCH_PATH), ensure those paths point to audited/trusted scripts; an attacker-supplied path could run arbitrary code. - Consider restricting filesystem access (ALLOWED_READ_DIRS) and network egress for the environment running this skill, or review/modify the code to stop reading parent .env and to require explicit approval before any outbound network call. If you cannot audit the code or are uncomfortable with Discord/external posting or with parent .env access, treat this skill as unsafe to run with production credentials.

Capability Analysis

Type: OpenClaw Skill Name: okki-sync-mail Version: 2.0.1 The bundle is a comprehensive email automation and CRM synchronization tool for OKKI CRM. It is classified as suspicious because it utilizes `execSync` in `auto-capture.js` and `kb-retrieval.js` to execute local Python scripts with arguments derived from external email data (such as domains and search queries) without sufficient sanitization, creating a significant risk of command injection. While the skill includes proactive security instructions in `SKILL.md` to defend against prompt injection and implements path validation for file operations in `scripts/imap.js` and `scripts/smtp.js`, the combination of shell execution, broad file system access, and the transmission of sensitive email content to external APIs (OpenRouter and Discord) constitutes high-risk behavior. No evidence of intentional malice or data exfiltration to unauthorized endpoints was found.

Capability Assessment

✓ Purpose & Capability

Name/description require IMAP/SMTP and OKKI integration; required env vars (IMAP_*, SMTP_*, OKKI_CLI_PATH, VECTOR_SEARCH_PATH) and node/python binaries are coherent with the code (node scripts + python helper scripts). Requiring npm/node/python3 is reasonable given package.json and Python utilities.

⚠ Instruction Scope

SKILL.md and included scripts perform broad file and process actions: reading/writing local mail archive paths, running Python OKKI/vector-search scripts, and calling child_process.execSync. The code also posts email drafts/content to an external Discord channel (discord-review.js). Some instructions and files reference many absolute local paths (Obsidian vault, quotation workflow, workspace paths) and cron jobs — which is expected for an email automation tool but increases the surface area. Importantly, the skill's runtime reads .env files and other local files that are outside the skill directory (see discord-review.js's ENV_PATH = ../../.env), and the SKILL.md does not declare all environment variables actually used (e.g., DISCORD_BOT_TOKEN).

ℹ Install Mechanism

Registry metadata says 'instruction-only / no install spec', but package.json and package-lock.json are present and SKILL.md shows 'npm install' in Quick Start. The absence of a formal install spec in the manifest is an inconsistency (user will likely need to run npm install manually). No remote download URLs or suspicious installers were found.

⚠ Credentials

Declared envs (IMAP_*, SMTP_*, OKKI_CLI_PATH, VECTOR_SEARCH_PATH) are appropriate. However, code also tries to load DISCORD_BOT_TOKEN from a .env two directories up and uses process.env when spawning child processes, and discord-review.js will send email content to discord.com if configured — DISCORD_BOT_TOKEN is not declared in requires.env. Reading a parent .env risks exposing unrelated secrets (agent/system-level) and is disproportionate to a skill that should confine itself to its own config directory.

ℹ Persistence & Privilege

Skill is not always:true and is user-invocable (normal). It writes archives and review records to local directories and can be run from cron as documented. The main privilege concern is that configured review/approval pathways (Discord or local review files) can trigger actual sends via scripts/smtp.js; combined with undeclared credential access this increases risk if misconfigured, but the skill itself does not request forced global persistence or modify other skills.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install okki-sync-mail
After installation, invoke the skill by name or use /okki-sync-mail
Provide required inputs per the skill's parameter spec and get structured output

Version History

v2.0.1

修复：移除 .env.example 中的敏感信息（邮箱地址和路径），使用占位符

v2.0.0

Version 2.0.0 — Major feature expansion and advanced email management. - Added advanced IMAP mailbox management: create, move, delete, list, and flag emails (star/unstar), supporting nested folders and irreversible deletion with a confirmation flag. - Enhanced IMAP search, fetch, and download operations, including filters by date, recentness, read/unread status, and mailbox/folder selection. - Improved SMTP sending: dry-run preview, scheduled (delayed) delivery, HTML support, quoting, reply threading, multi-recipient, multi-attachment, and granular sender/CC configuration. - Expanded documentation with clear configuration instructions and extensive command usage examples. - Integrated automatic email synchronization with OKKI CRM for seamless follow-up (remark_type=102). - Added support for rate limiting, logging, signature templates, mail rules, connection pool optimization, and scheduled task storage.

Metadata

Slug okki-sync-mail

Version 2.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is Okki Sync Mail?

完整的邮件自动化解决方案，集成 OKKI CRM。支持 IMAP 邮件自动捕获、SMTP 发送邮件、dry-run 模式、发送日志、速率限制、定时发送、签名模板、邮件规则、连接池优化、邮件转发等功能。自动同步 inbound/outbound 邮件到 OKKI 创建跟进记录（remark_type=102）。 It is an AI Agent Skill for Claude Code / OpenClaw, with 107 downloads so far.

How do I install Okki Sync Mail?

Run "/install okki-sync-mail" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Okki Sync Mail free?

Yes, Okki Sync Mail is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Okki Sync Mail support?

Okki Sync Mail is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Okki Sync Mail?

It is built and maintained by Jaden's built a claw (@cjboy007); the current version is v2.0.1.

More Skills