功能描述

Parses email headers to detect spoofing, phishing, SPF/DKIM/DMARC failures, routing anomalies, and provides forensic analysis of email authenticity.

使用说明 (SKILL.md)

Email Header Analyzer

Name: Email Header Analyzer
Author: snipercat69

Skill Name: email-header-analyzer Version: 1.0.0 Category: Security / Email Forensics Price: Lifetime: $39 / Optional Monthly: $7/mo (includes all Pro features permanently) Author: EdgeIQ Labs OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Linux

What It Does

Parses and analyzes email headers (RFC 5322) to detect spoofing, phishing indicators, SPF/DKIM/DMARC authentication failures, routing anomalies, and suspicious origin servers. Extracts forensic details from headers to determine if an email is legitimate or a spoof/impersonation attempt.

⚠️ Legal Notice: Only analyze emails you own or have explicit authorization to audit. Not for intercepting or analyzing others' communications without consent.

Features

SPF validation — checks Sender Policy Framework authentication result
DKIM verification — parses DKIM signature and verification result
DMARC analysis — evaluates Domain-based Message Authentication policy
From/Reply-To mismatch detection — flags when reply address differs from sender
Received headers path analysis — traces email route across mail servers
Suspicious routing anomalies — detects forged hops, unexpected relay chain
IP reputation lookup — checks originating mail server IP against blocklists
Domain age/check — flags newly registered domains in headers
Attachment analysis — checks filenames, MIME types, content disposition
JSON export — structured forensic report

Tier Comparison

Feature	Free	Lifetime ($39)	Optional Monthly ($7/mo)
Full header parse	✅ (5 emails)	✅ (unlimited)	✅ (unlimited)
SPF/DKIM/DMARC check	✅	✅	✅
From/Reply-To mismatch	✅	✅	✅
Mail server IP reputation	✅	✅	✅
Domain age lookup	✅	✅	✅
Received path analysis	✅	✅	✅
Attachment metadata	✅	✅	✅
JSON export	✅	✅	✅

Installation

cp -r /home/guy/.openclaw/workspace/apps/email-header-analyzer ~/.openclaw/skills/email-header-analyzer

Usage

Basic header scan (free tier)

python3 email_analyzer.py --header "Received: from mail.example.com..."

Paste raw headers from email (Pro)

[email protected] python3 email_analyzer.py \
  --file /path/to/raw_headers.txt --pro

JSON report output

[email protected] python3 email_analyzer.py \
  --header "$(pbpaste)" --bundle --output email-report.json

As OpenClaw Discord Command

In #edgeiq-support channel:

!emailheader Received: from server... Authentication-Results: spf=fail...
!emailheader --file /path/to/headers.txt --pro

Parameters

Flag	Type	Default	Description
`--header`	string	—	Raw email headers (single line or multi-line)
`--file`	string	—	Path to text file containing raw headers
`--pro`	flag	False	Enable Pro features
`--bundle`	flag	False	Enable Bundle features
`--output`	string	—	Write JSON report to file

Output Example

=== Email Header Analyzer ===
Analyzing headers for: [email protected]

  [1m[91m🔴 SPF FAIL — sender IP not authorized[0m
    SPF Result: fail
    From domain: company.com
    Sender IP: 203.0.113.45 (not in SPF允许列表)
    Recommendation: Block or mark as suspicious

  [1m[93m🟡 DKIM: NONE (no signature found)[0m
    Risk: Email has no cryptographic authentication

  [1m[91m🔴 DMARC POLICY FAIL[0m
    Policy: reject
    Alignment: relaxed
    Result: SPF fail + DKIM none = DMARC fail

  [1m[93m🟡 FROM/REPLY-TO MISMATCH[0m
    From:  [email protected]
    Reply-To: [email protected]
    Risk: Likely phishing or business email compromise

  [1m[92m✔[0m Received path looks normal (3 hops)
    Hop 1: mail.attacker.com [203.0.113.45]
    Hop 2: relay.example.net [198.51.100.23]
    Hop 3: mail.company.com [203.0.113.1]

  Threat Level: HIGH — Multiple authentication failures + Reply-To mismatch

Authentication Results Explained

Result	Meaning
SPF pass	Sender IP is authorized by the domain's SPF record
SPF fail	Sender IP is NOT authorized — likely spoofing
DKIM pass	Email digitally signed, signature valid
DKIM fail	Signature tampered or invalid
DMARC pass	Both SPF and DKIM aligned and passing
DMARC fail	Alignment failed — domain claimed but auth didn't match

Pro Upgrade

Full forensic analysis + IP reputation + domain age + path analysis:

👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo

Support

Open a ticket in #edgeiq-support or email [email protected]

🔗 More from EdgeIQ Labs

edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.

🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
📸 Screenshot API — URL-to-screenshot API for developers
🔔 uptime.check — URL uptime monitoring with alerts
🛡️ headers.check — HTTP security headers analyzer

👉 Visit edgeiqlabs.com →

安全使用建议

This skill generally does what its description says, but review the code before running. Specific things to consider: (1) The analyzer will read any file path you pass with --file, so do not pass sensitive files unless you intend to analyze them. (2) The script performs network reputation/age lookups; verify what endpoints it calls (the truncated code suggests optional VirusTotal-style checks) and avoid supplying API keys unless you trust the author. (3) The licensing code grants Pro/Bundle access if EDGEIQ_EMAIL is set to the developer's email ([email protected]) or if a license file exists — this is a built-in bypass and may be unexpected. (4) Because the skill runs Python scripts included in the package, run it in an isolated environment (container or VM) if you are unsure of the source. (5) If you need higher assurance, ask the publisher for a complete list of external endpoints and required API keys or have a developer audit the full email_analyzer.py (the shipped file was partially truncated in the bundle; network/exfil behavior could be in the omitted portion). If you want to limit risk: do not grant the agent autonomous invocation for this skill, avoid setting EDGEIQ_EMAIL to the listed developer email, and do not provide API keys unless necessary and reviewed.

功能分析

Type: OpenClaw Skill Name: edgeiq-email-header-analyzer Version: 1.4.0 The skill is a legitimate email header forensic tool designed to analyze RFC 5322 headers for phishing and spoofing indicators. The code in email_analyzer.py and edgeiq_licensing.py performs standard parsing of SPF, DKIM, and DMARC results, checks for From/Reply-To mismatches, and traces mail server hops. While some 'Pro' features like IP reputation and domain age are partially simulated using local logic, the tool functions as described in SKILL.md without any evidence of data exfiltration, malicious execution, or prompt injection.

能力标签

cryptocan-make-purchasesrequires-sensitive-credentials

能力评估

ℹ Purpose & Capability

Name and description (email header analysis, SPF/DKIM/DMARC, IP reputation, domain age) align with the code and SKILL.md features. However, some capabilities (IP reputation, domain-age/whois, VirusTotal-like checks) imply network calls and optional API keys even though the skill declares no required environment variables or credentials. That mismatch is worth noting: the skill supports external lookups but doesn't document required API keys or endpoints in requires.env.

⚠ Instruction Scope

SKILL.md and the code permit reading headers from an arbitrary file path (--file /path/to/raw_headers.txt). That is reasonable for an analyzer, but it also enables reading any filesystem file if the agent or caller supplies such a path. The code imports urllib and performs network lookups (IP reputation, optional VirusTotal-like checks). The SKILL.md does not clearly enumerate which external services will be contacted or which API keys (if any) should be provided, giving the agent broad discretion to perform network requests. The legal notice is present but there's nothing in the runtime instructions that prevents misuse (e.g., auto-invoked by an agent to read sensitive files).

✓ Install Mechanism

No install specification — instruction-only skill with included Python scripts. This is lower install risk (nothing downloaded at install time). The files will be executed locally when invoked; that is expected for a shipped script but means the code should be reviewed before running.

⚠ Credentials

The package declares no required environment variables, but the code uses EDGEIQ_EMAIL and a license file (~/.edgeiq/license.key) to enable Pro/Bundle features. The licensing logic contains a built-in bypass: if EDGEIQ_EMAIL == '[email protected]' (author's email), the code treats the user as licensed. This is a hidden/backdoor-like behavior (developer convenience) that may be unexpected and undesirable. The skill does not declare other optional env vars it may read (e.g., keys for external reputation services), so the environment/credential surface is under-documented.

✓ Persistence & Privilege

always=false and the skill does not request permission to auto-enable itself or modify other skills. It places and reads a license file in the user's home (~/.edgeiq), which is normal for a license module, but it does not request elevated or global system privileges in the provided files.

版本历史

v1.4.0

v1.4.0: URGENT FIX — corrected Stripe Payment Link URLs

v1.3.0

v1.3.0: CRITICAL FIX — replaced placeholder Stripe URLs with real working Payment Link checkout URLs

v1.2.0

v1.2.0: Dual pricing — Lifetime as primary purchase option with optional monthly. Updated Stripe checkout URLs.

v1.0.0

Initial release: RFC 5322 header parsing, SPF/DKIM/DMARC analysis, From/Reply-To mismatch detection, Received path analysis, IP reputation, domain age, subject analysis.

元数据

Slug edgeiq-email-header-analyzer

版本 1.4.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 4

常见问题