← 返回 Skills 市场
QQ邮箱发票下载器
作者
FrankFuShMomentLab
· GitHub ↗
· v1.1.0
· MIT-0
109
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install qq-invoice-downloader
功能描述
自动登录QQ邮箱,按日期搜索发票邮件,下载PDF附件和解压ZIP,过滤非发票,生成分类Excel报告。
安全使用建议
Do not run this skill as-is. Before installing or executing: 1) Search the code and remove/replace any hard-coded EMAIL and PASSWORD values — never run code that logs into someone else's mailbox. 2) Change BASE_DIR/OUTPUT_DIR to a configurable value (env var or CLI arg) so files are written to a safe location you control. 3) Inspect send_report.py / send_report_telegram.py to see whether and where results are transmitted; if you don't want external uploads, disable or remove those parts. 4) If you must use the skill, provide your own mailbox credentials via a secure mechanism (never embed them in the repo); run in an isolated VM and with a throwaway mailbox for testing. 5) Consider running a local static secrets scan and reviewing network endpoints the code contacts. If you are unsure or cannot confidently audit the code, avoid using it or request a version that accepts credentials and paths via documented, secure configuration.
功能分析
Type: OpenClaw Skill
Name: qq-invoice-downloader
Version: 1.1.0
The skill bundle contains multiple hardcoded sensitive credentials, including a QQ email address and IMAP authorization code ([email protected] / dcdrfqjmoczrbhdj) and a functional Telegram Bot Token (8408048074:AAHRX5vogDUKZjdf-mL4ByJ8ukihRosqFpI) found in files like browser_processor.py and send_report_telegram.py. Most critically, send_report_telegram.py is designed to exfiltrate the generated '发票目录.xlsx' (which contains sensitive financial and personal data) to the hardcoded Telegram bot. While these are presented as reporting features, the use of hardcoded destination endpoints for sensitive data in a shared skill bundle is a significant security risk and resembles data exfiltration behavior.
能力评估
Purpose & Capability
The code and SKILL.md are consistent with the stated purpose (search QQ mailbox, download PDF/ZIP attachments, process and report). However multiple files hard-code a specific QQ email and password and a Windows base directory (e.g., BASE_DIR = r"Z:\OpenClaw\InvoiceOC" and EMAIL/PASSWORD constants). A user would expect to provide their own mailbox credentials and output directory; hardcoding the author's credentials and path is disproportionate and inappropriate.
Instruction Scope
SKILL.md documents running invoice_downloader_v82.py and optional MINIMAX_API_KEY use, but it does not tell users to configure mailbox credentials or the BASE_DIR. The runtime files connect to imap.qq.com, log in with the embedded credentials, fetch emails, open arbitrary links in a browser (Playwright), download files, and write to fixed disk locations. The instructions are incomplete/ambiguous and grant broad file- and network-access behavior not described in the manifest.
Install Mechanism
There is no install spec (instruction-only), so nothing is automatically downloaded by the registry. The code requires runtime dependencies (playwright, imap-tools, requests, pandas) and Playwright will install browsers when used. This is expected for a browser-automation downloader and is not itself a high install risk, but the skill will execute many network and local I/O operations when run.
Credentials
The manifest declares no required environment variables, yet the code uses: hard-coded EMAIL/PASSWORD/IMAP_SERVER and hard-coded output directories. SKILL.md mentions MINIMAX_API_KEY for optional LLM fallback but the primary authentication for mailbox access is not configurable via environment variables as the user would expect. There are also files (send_report_telegram.py / send_report.py referenced) that can send results externally but the skill does not declare or document required remote tokens/webhooks — this mismatch increases the risk of unexpected data transmission.
Persistence & Privilege
The skill is user-invocable and not marked always:true. It does not declare changes to other skills or global agent settings. It will run with the invoking agent's privileges and perform network and file operations, which is normal for this functionality. There is no evidence it attempts to persistently modify the agent registry or autostart itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install qq-invoice-downloader - 安装完成后,直接呼叫该 Skill 的名称或使用
/qq-invoice-downloader触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
v1.1: LLM增强分析 Phase 1完成,33平台selector,真实MiniMax-M2.7 API验证通过
v1.0.0
Initial release: v8.2, env vars for credentials, supports QQ email IMAP auto-login and PDF download
元数据
常见问题
QQ邮箱发票下载器 是什么?
自动登录QQ邮箱,按日期搜索发票邮件,下载PDF附件和解压ZIP,过滤非发票,生成分类Excel报告。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 109 次。
如何安装 QQ邮箱发票下载器?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install qq-invoice-downloader」即可一键安装,无需额外配置。
QQ邮箱发票下载器 是免费的吗?
是的,QQ邮箱发票下载器 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
QQ邮箱发票下载器 支持哪些平台?
QQ邮箱发票下载器 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 QQ邮箱发票下载器?
由 FrankFuShMomentLab(@frankfushmomentlab)开发并维护,当前版本 v1.1.0。
推荐 Skills