← 返回 Skills 市场

Email Registration Scanner

Name: Email Registration Scanner
Author: fatihbtw

作者 fatihbtw · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

102

总下载

当前安装

版本数

在 OpenClaw 中安装

/install email-registration-scanner

功能描述

Scans email accounts (Gmail, iCloud, Outlook, Yahoo, AOL, GMX, Web.de, Fastmail, Proton, T-Online and more) for registration, welcome and confirmation emails...

使用说明 (SKILL.md)

Registration Scanner

Scans one or more email accounts for registration-related emails and returns a deduplicated, date-sorted list of every service the user has ever signed up for.

Supported Providers

Provider	Access Method
Gmail	Gmail tool / MCP connector
iCloud Mail	IMAP – imap.mail.me.com:993
Outlook / Hotmail / Live	IMAP – outlook.office365.com:993
Yahoo Mail	IMAP – imap.mail.yahoo.com:993
AOL Mail	IMAP – imap.aol.com:993
GMX	IMAP – imap.gmx.net:993
Web.de	IMAP – imap.web.de:993
T-Online	IMAP – secureimap.t-online.de:993
Fastmail	IMAP – imap.fastmail.com:993
Proton Mail	IMAP Bridge – 127.0.0.1:1143 (Bridge required)

Full provider details and IMAP setup guides → {baseDir}/references/providers.md

Step 1 – Identify Accounts

Ask the user which email accounts to scan before doing anything else:

"Which email accounts should I scan? (e.g. Gmail, iCloud, Outlook, Yahoo, AOL, GMX, Web.de, T-Online, Fastmail, Proton – or all of them?)"

Wait for the answer. Do not proceed until the user has confirmed.

Step 2 – Collect Credentials

Gmail

Use the Gmail tool or Gmail MCP connector if already configured.
If not configured, tell the user:

"Please connect your Gmail account first via openclaw configure or by enabling the Gmail MCP connector."

IMAP Providers (iCloud, Outlook, Yahoo, AOL, GMX, Web.de, T-Online, Fastmail)

Explain to the user:

"For [provider] I need your email address and an app-specific password (not your regular login password). You can generate one in your account's security settings. I will use it only for this session and never store it in plain text."

Refer to provider-specific instructions for generating app passwords → {baseDir}/references/providers.md

Proton Mail

Proton Mail requires the Proton Mail Bridge to be running locally.

"For Proton Mail, please make sure the Proton Mail Bridge is running. I will connect to it locally at 127.0.0.1:1143."

Step 3 – Run the Scan

Gmail

Use the Gmail tool to search with these queries in sequence. Collect all matching message IDs.

Search queries across all languages → {baseDir}/references/search-queries.md

IMAP Accounts

Use the Python script at {baseDir}/scripts/imap_scan.py to connect and search:

python3 "{baseDir}/scripts/imap_scan.py" \
  --host "imap.mail.me.com" \
  --port 993 \
  --user "[email protected]" \
  --password "app-specific-password" \
  --output "/tmp/registration_scan_results.json"

The script runs all search query batches automatically and returns a JSON list of matches.

Run this for each IMAP account separately, saving results to different temp files.

Step 4 – Parse and Deduplicate Results

For every matched email:

Extract: From, Date, Subject
Derive the service name from the sender domain or subject line
Example: [email protected] → Spotify, [email protected] → Notion
Deduplicate by service: keep only the oldest entry per service (= original registration)
Skip: transactional emails (password resets, receipts), pure newsletters with no registration context, internal/personal senders

Step 5 – Output

Present the final list sorted newest first. Use this format:

📋 REGISTERED SERVICES – [Account Name]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Found: XX services  |  Range: YYYY – YYYY

YYYY-MM-DD   Service Name
             From: [email protected]

YYYY-MM-DD   Service Name
             From: [email protected]
...
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

If multiple accounts were scanned, merge all results into one unified list sorted by date.

After showing the list, ask:

"Should I save this as a file? Or filter by a specific service or date range?"

Error Handling

IMAP auth failure: Ask the user to re-check their app password. Refer to {baseDir}/references/providers.md for setup steps.
IMAP not enabled: iCloud, Yahoo, Outlook may require IMAP to be turned on in account settings. Provider guide → {baseDir}/references/providers.md
Proton Bridge not running: Instruct the user to start the Proton Mail Bridge app first.
Rate limiting: Pause 1–2 seconds between search batches to avoid being throttled.
Large mailbox: Inform the user of progress. Large inboxes (100k+ emails) may take several minutes.

Privacy & Security Rules

Never display passwords, app keys, or credentials in output or logs.
Use OpenClaw's Secret Store for credentials whenever possible.
Delete temp files (/tmp/registration_scan_*.json) after the session ends.
Do not send any email content to external services.

安全使用建议

This skill appears to do what it claims (scan email headers for registration/welcome messages), but before installing or running it, be aware of these practical risks and mitigations: - Do not pass passwords on the command line. The example runs python3 imap_scan.py --password "..." which exposes the secret to other local users (ps) and shell history. Prefer using the agent's Secret Store, an interactive prompt, or an in-memory mechanism that doesn't show passwords in process arguments. - The SKILL.md says temp files will be deleted, but the helper script writes a JSON file and does not delete it. If you run this, point output to a secure location you control, and securely delete the file when done (or modify the script to delete it after use). - Proton Mail requires the Bridge running locally; confirm you trust the Bridge instance and local environment before exposing bridge credentials. - Consider using Gmail connector/MCP rather than raw app passwords where available, since MCP may provide a safer auth flow. - Review and, if appropriate, revoke any app-specific passwords after the scan completes. If you want to proceed, either (1) request the author to fix the CLI example to use the Secret Store / prompt-based input and to implement secure deletion of temp files, or (2) run the included script locally with careful handling of secrets (stdin/prompt or environment variable not exposed to other users) and explicit secure cleanup of output files.

功能分析

Type: OpenClaw Skill Name: email-registration-scanner Version: 1.0.0 The skill scans email headers via IMAP to identify registered services. While it implements privacy-preserving measures (fetching only headers, using PEEK to avoid marking emails as read, and providing guides for app-specific passwords), it requires the user to provide sensitive email credentials which are then passed as command-line arguments to a Python script (`scripts/imap_scan.py`). This practice exposes credentials in system process lists, representing a security vulnerability. Per the provided criteria, the use of high-risk capabilities (network access and email data retrieval) for its stated purpose warrants a suspicious classification.

能力评估

✓ Purpose & Capability

Name/description match the included files: SKILL.md, provider guides, search queries, and a Python IMAP helper implement the advertised registration-email scan across the listed providers. Requested inputs (app-specific passwords, Proton Bridge for Proton Mail, Gmail connector) are appropriate for the stated task.

⚠ Instruction Scope

SKILL.md says to use the Secret Store and never log passwords, but the provided example command passes the IMAP password on the command line (visible to other local users and shell history). The Python script writes results to a user-specified file in /tmp but does not itself delete temp files; SKILL.md promises deletion after the session — this is a mismatch. The runtime instructions otherwise stay within the stated scanning scope and do not reference unrelated files or remote endpoints.

✓ Install Mechanism

Instruction-only skill plus a small stdlib-only Python script. There is no installer, no downloads, and no third-party packages; risk from installation mechanism is low.

ℹ Credentials

The skill requests user credentials (app-specific passwords or Gmail connector) which are necessary for IMAP access and are proportionate to the task. However, the documentation's claim to use the Secret Store contrasts with the example that passes passwords as CLI args, which is insecure and inconsistent with the 'never store or log credentials' promise.

✓ Persistence & Privilege

Skill is user-invocable, not 'always'. Model invocation is allowed (default), which is normal. The skill does not request system-wide config changes or other skills' credentials.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install email-registration-scanner
安装完成后，直接呼叫该 Skill 的名称或使用 /email-registration-scanner 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release

元数据

Slug email-registration-scanner

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题