← 返回 Skills 市场
1093
总下载
0
收藏
7
当前安装
1
版本数
在 OpenClaw 中安装
/install imap-smtp-email-plus
功能描述
Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search mailboxes, mark as read/unread, and send emails with attachments. Wor...
使用说明 (SKILL.md)
IMAP/SMTP Email Tool
Read, search, and manage email via IMAP protocol. Send email via SMTP. Supports Gmail, Outlook, 163.com, vip.163.com, 126.com, vip.126.com, 188.com, vip.188.com, and any standard IMAP/SMTP server.
Configuration
Create .env in the skill folder or set environment variables:
# IMAP Configuration (receiving email)
IMAP_HOST=imap.gmail.com # Server hostname
IMAP_PORT=993 # Server port
[email protected]
IMAP_PASS=your_password
IMAP_TLS=true # Use TLS/SSL connection
IMAP_REJECT_UNAUTHORIZED=true # Set to false for self-signed certs
IMAP_MAILBOX=INBOX # Default mailbox
# SMTP Configuration (sending email)
SMTP_HOST=smtp.gmail.com # SMTP server hostname
SMTP_PORT=587 # SMTP port (587 for STARTTLS, 465 for SSL)
SMTP_SECURE=false # true for SSL (465), false for STARTTLS (587)
[email protected] # Your email address
SMTP_PASS=your_password # Your password or app password
[email protected] # Default sender email (optional)
SMTP_REJECT_UNAUTHORIZED=true # Set to false for self-signed certs
Common Email Servers
| Provider | IMAP Host | IMAP Port | SMTP Host | SMTP Port |
|---|---|---|---|---|
| 163.com | imap.163.com | 993 | smtp.163.com | 465 |
| vip.163.com | imap.vip.163.com | 993 | smtp.vip.163.com | 465 |
| 126.com | imap.126.com | 993 | smtp.126.com | 465 |
| vip.126.com | imap.vip.126.com | 993 | smtp.vip.126.com | 465 |
| 188.com | imap.188.com | 993 | smtp.188.com | 465 |
| vip.188.com | imap.vip.188.com | 993 | smtp.vip.188.com | 465 |
| yeah.net | imap.yeah.net | 993 | smtp.yeah.net | 465 |
| Gmail | imap.gmail.com | 993 | smtp.gmail.com | 587 |
| Outlook | outlook.office365.com | 993 | smtp.office365.com | 587 |
| QQ Mail | imap.qq.com | 993 | smtp.qq.com | 587 |
Important for 163.com:
- Use authorization code (授权码), not account password
- Enable IMAP/SMTP in web settings first
IMAP Commands (Receiving Email)
check
Check for new/unread emails.
node scripts/imap.js check [--limit 10] [--mailbox INBOX] [--recent 2h]
Options:
--limit \x3Cn>: Max results (default: 10)--mailbox \x3Cname>: Mailbox to check (default: INBOX)--recent \x3Ctime>: Only show emails from last X time (e.g., 30m, 2h, 7d)
fetch
Fetch full email content by UID.
node scripts/imap.js fetch \x3Cuid> [--mailbox INBOX]
download
Download all attachments from an email, or a specific attachment.
node scripts/imap.js download \x3Cuid> [--mailbox INBOX] [--dir \x3Cpath>] [--file \x3Cfilename>]
Options:
--mailbox \x3Cname>: Mailbox (default: INBOX)--dir \x3Cpath>: Output directory (default: current directory)--file \x3Cfilename>: Download only the specified attachment (default: download all)
search
Search emails with filters.
node scripts/imap.js search [options]
Options:
--unseen Only unread messages
--seen Only read messages
--from \x3Cemail> From address contains
--subject \x3Ctext> Subject contains
--recent \x3Ctime> From last X time (e.g., 30m, 2h, 7d)
--since \x3Cdate> After date (YYYY-MM-DD)
--before \x3Cdate> Before date (YYYY-MM-DD)
--limit \x3Cn> Max results (default: 20)
--mailbox \x3Cname> Mailbox to search (default: INBOX)
mark-read / mark-unread
Mark message(s) as read or unread.
node scripts/imap.js mark-read \x3Cuid> [uid2 uid3...]
node scripts/imap.js mark-unread \x3Cuid> [uid2 uid3...]
move
Move message(s) to another mailbox/folder. Useful for archiving emails.
node scripts/imap.js move \x3Ctarget-mailbox> \x3Cuid> [uid2 uid3...] [--mailbox \x3Csource>]
Examples:
# Archive to Gmail "All Mail" (归档到所有邮件)
node scripts/imap.js move "[Gmail]/所有邮件" 123 456
# Move to a custom folder
node scripts/imap.js move "Work" 123
# Move from a specific mailbox
node scripts/imap.js move "Archive" 123 --mailbox INBOX
list-mailboxes
List all available mailboxes/folders.
node scripts/imap.js list-mailboxes
SMTP Commands (Sending Email)
send
Send email via SMTP.
node scripts/smtp.js send --to \x3Cemail> --subject \x3Ctext> [options]
Required:
--to \x3Cemail>: Recipient (comma-separated for multiple)--subject \x3Ctext>: Email subject, or--subject-file \x3Cfile>
Optional:
--body \x3Ctext>: Plain text body--html: Send body as HTML--body-file \x3Cfile>: Read body from file--html-file \x3Cfile>: Read HTML from file--cc \x3Cemail>: CC recipients--bcc \x3Cemail>: BCC recipients--attach \x3Cfile>: Attachments (comma-separated)--from \x3Cemail>: Override default sender
Examples:
# Simple text email
node scripts/smtp.js send --to [email protected] --subject "Hello" --body "World"
# HTML email
node scripts/smtp.js send --to [email protected] --subject "Newsletter" --html --body "\x3Ch1>Welcome\x3C/h1>"
# Email with attachment
node scripts/smtp.js send --to [email protected] --subject "Report" --body "Please find attached" --attach report.pdf
# Multiple recipients
node scripts/smtp.js send --to "[email protected],[email protected]" --cc "[email protected]" --subject "Update" --body "Team update"
test
Test SMTP connection by sending a test email to yourself.
node scripts/smtp.js test
Dependencies
npm install
Security Notes
- Store credentials in
.env(add to.gitignore) - For Gmail: use App Password if 2FA is enabled
- For 163.com: use authorization code (授权码), not account password
Troubleshooting
Connection timeout:
- Verify server is running and accessible
- Check host/port configuration
Authentication failed:
- Verify username (usually full email address)
- Check password is correct
- For 163.com: use authorization code, not account password
- For Gmail: use App Password if 2FA enabled
TLS/SSL errors:
- Match
IMAP_TLS/SMTP_SECUREsetting to server requirements - For self-signed certs: set
IMAP_REJECT_UNAUTHORIZED=falseorSMTP_REJECT_UNAUTHORIZED=false
安全使用建议
This package appears to implement a normal IMAP/SMTP email client, but there are red flags you should consider before installing or entering credentials:
- Credential mismatch: The registry metadata declares no required environment variables, yet the tool requires IMAP_USER/IMAP_PASS and SMTP_USER/SMTP_PASS (sensitive credentials). Treat this as suspicious: verify the author and provenance before supplying credentials.
- Origin/provenance: package.json and README mention 'NetEase' while the registry owner and _meta.json differ—this could be repackaged code. Prefer code from a known/trusted source.
- Install behavior: You must run 'npm install' locally; dependencies are common and expected, but running install will write packages to disk. Inspect the included scripts (imap.js, smtp.js, setup.sh) yourself or in a sandbox before running.
- Minimize exposure: If you decide to test, use an account with no sensitive mail (or an app-specific/test account), and use app-passwords where supported (Gmail app password, authorization codes) rather than your primary account password.
- .env handling: Add the created .env to .gitignore and avoid committing it. Review setup.sh which creates .env to ensure it writes only intended values.
- If you cannot verify the publisher, do not provide real credentials. Consider running the tools in a restricted environment or sandbox and review network connections/logs while testing.
If you want, I can summarize exactly where the code reads/writes credentials and which files to inspect before running, or help craft safer test steps (sandboxed run, throwaway account, or manual credential parsing).
功能分析
Type: OpenClaw Skill
Name: imap-smtp-email-plus
Version: 1.0.0
This skill is classified as suspicious due to critical vulnerabilities, specifically a shell injection risk in `setup.sh` and arbitrary file read/write capabilities in `scripts/imap.js` and `scripts/smtp.js`. The `setup.sh` script expands user-provided `EMAIL` and `PASSWORD` variables directly within a `cat << EOF` block, making it vulnerable to command injection if malicious input is provided. Additionally, `scripts/imap.js` allows writing attachments to arbitrary paths via the `--dir` option in the `download` command, and `scripts/smtp.js` allows reading arbitrary files for email bodies or attachments via `--attach`, `--body-file`, `--html-file`, and `--subject-file` options. While these file operations are inherent to an email client, the lack of input sanitization or sandboxing mechanisms makes them significant vulnerabilities that could be exploited for information disclosure or arbitrary file writes if the agent is compromised, even without explicit malicious intent from the skill author.
能力评估
Purpose & Capability
The skill's name/description (read/send email via IMAP/SMTP) aligns with the included scripts (imap.js, smtp.js) and README: the code implements the documented functionality. However the package author metadata and registry ownership appear inconsistent (package.json/README claim 'NetEase' but registry owner and _meta.json differ), which suggests repackaging or unclear provenance.
Instruction Scope
Runtime instructions and scripts are scoped to IMAP/SMTP operations: connecting to servers, searching/fetching messages, downloading attachments, and sending email. They read a local .env for credentials and may read/write files for attachments and body files (expected for this functionality). The instructions do not contain explicit exfiltration or unexpected external endpoints beyond standard IMAP/SMTP servers.
Install Mechanism
There is no formal install spec in the registry, but the bundle includes package.json and package-lock.json and expects you to run 'npm install'. That pulls common npm libraries (imap, imap-simple, mailparser, nodemailer, dotenv). This is a moderate-risk pattern—dependencies are normal for an email tool, but the lack of an install spec plus bundled code means the package will write dependencies to disk when you run npm install.
Credentials
The metadata lists no required environment variables or primary credential, yet SKILL.md, setup.sh, and the scripts require many sensitive env vars (IMAP_USER, IMAP_PASS, IMAP_HOST, SMTP_USER, SMTP_PASS, SMTP_HOST, etc.). This mismatch (declaring no env needs while actually requiring account credentials and passwords) is an incoherence and increases risk: the skill will need direct access to email credentials but the registry metadata gives no visibility or prompts about that.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or global agent configuration. It writes a .env file in the skill folder via setup.sh (local only) and writes attachments to user-specified directories—expected behavior for an email client.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install imap-smtp-email-plus - 安装完成后,直接呼叫该 Skill 的名称或使用
/imap-smtp-email-plus触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Added move command to move emails between mailboxes
元数据
常见问题
IMAP/SMTP Email (Plus) 是什么?
Read and send email via IMAP/SMTP. Check for new/unread messages, fetch content, search mailboxes, mark as read/unread, and send emails with attachments. Wor... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1093 次。
如何安装 IMAP/SMTP Email (Plus)?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install imap-smtp-email-plus」即可一键安装,无需额外配置。
IMAP/SMTP Email (Plus) 是免费的吗?
是的,IMAP/SMTP Email (Plus) 完全免费(开源免费),可自由下载、安装和使用。
IMAP/SMTP Email (Plus) 支持哪些平台?
IMAP/SMTP Email (Plus) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 IMAP/SMTP Email (Plus)?
由 Roccoon(@lroccoon)开发并维护,当前版本 v1.0.0。
推荐 Skills