← 返回 Skills 市场
105
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install qqexmail
功能描述
通过 IMAP/SMTP 收发腾讯企业邮箱(exmail.qq.com)邮件。支持发送邮件、收取邮件列表、获取邮件正文。凭证从环境变量读取。
安全使用建议
This skill appears to implement the advertised Tencent Exmail IMAP/SMTP features, but there are important caveats: (1) the registry metadata incorrectly claims no required env vars or binaries — the scripts need Node.js and two environment variables (EXMAIL_ACCOUNT and EXMAIL_AUTH_CODE); (2) SKILL.md mentions a --days option but receive.js does not implement it; get-body.js may not reliably fetch by UID due to how the IMAP fetch is called and uses a short timeout — these are functional bugs, not obvious malicious behavior; (3) send.js disables strict TLS verification (tls.rejectUnauthorized: false), which reduces TLS checks (may be needed in some setups but weakens security); (4) EXMAIL_AUTH_CODE grants full mailbox access — do not store it in code or public repos and rotate it if exposed. Before installing: review the code yourself (or have a developer review) and only provide credentials in a controlled environment; prefer running the scripts locally rather than giving these env vars to an autonomous agent you don't fully control. If you plan to trust this skill broadly, ask the author to correct metadata, implement the --days option (or update docs), and address the get-body UID correctness and timeout handling.
功能分析
Type: OpenClaw Skill
Name: qqexmail
Version: 1.0.0
The skill provides legitimate functionality for managing Tencent Enterprise Email via IMAP and SMTP, but it contains a significant security vulnerability. Specifically, `scripts/send.js` explicitly disables TLS certificate validation (`rejectUnauthorized: false`), which exposes the SMTP connection to Man-in-the-Middle (MITM) attacks. While the code logic aligns with the stated purpose and shows no evidence of intentional malice or data exfiltration, the prompt instructions require classifying such vulnerabilities as suspicious.
能力评估
Purpose & Capability
The skill's name/description (Tencent exmail IMAP/SMTP client) matches the included code (send.js, receive.js, get-body.js) and npm dependencies (imap, mailparser, nodemailer). However the registry metadata claims no required env vars or binaries while the code requires Node.js and two environment variables (EXMAIL_ACCOUNT and EXMAIL_AUTH_CODE). This metadata mismatch is inconsistent and could mislead users about what the skill will access.
Instruction Scope
SKILL.md describes expected behaviour and the code implements sending, listing, and fetching bodies and only connects to exmail.qq.com servers. However: (1) SKILL.md advertises a --days option for receive.js but the receive.js implementation parses --days but does not apply it (unused variable) — a functional mismatch; (2) get-body.js expects a UID from receive.js but uses imap.fetch([uid], ...) without explicitly using UID-mode, which may make fetching by UID unreliable (implementation bug/race); (3) get-body.js uses a fixed short timeout to wait for parsing to finish (racy). There are no calls to unexpected external endpoints, but the code reads sensitive environment variables (as advertised).
Install Mechanism
There is no remote download/install step in the skill package (no URL downloads). The package includes package.json and a package-lock, and SKILL.md instructs to run npm install and node scripts — a standard, low-risk Node.js workflow. Dependencies are common email/parsing libraries from the npm registry (imap, mailparser, nodemailer).
Credentials
The code requires two sensitive environment variables (EXMAIL_ACCOUNT and EXMAIL_AUTH_CODE), which are exactly what an IMAP/SMTP client needs — so the variables themselves are proportionate. The problem is the registry metadata/manifest declares "Required env vars: none" and "Primary credential: none", which is incorrect and misleading. Also note EXMAIL_AUTH_CODE is a highly sensitive credential (email access) — grant only to trusted code and rotate if exposed.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges. always:false and default invocation settings are used. The code does not modify other skills or system-wide settings and does not write persistent credentials to disk. Autonomous agent invocation is enabled by default (not flagged alone), so be cautious about giving an agent email creds as it could send/read mail autonomously.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install qqexmail - 安装完成后,直接呼叫该 Skill 的名称或使用
/qqexmail触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of 腾讯企业邮箱 skill:
- Send, receive, and read emails from exmail.qq.com via IMAP/SMTP using Node.js scripts.
- Credentials (account and authorization code) are read from environment variables.
- Includes scripts for sending (`send.js`), receiving (`receive.js`), and fetching full email body by UID (`get-body.js`).
- Supports fetching recent N messages or messages from the last N days, with convenient CLI options.
- Output includes subject, sender, date, UID, and content summary. Full plain-text body available by UID.
- Security best practices: never commit credentials; use authorization code, not login password.
元数据
常见问题
腾讯企业邮箱/qqexmail 是什么?
通过 IMAP/SMTP 收发腾讯企业邮箱(exmail.qq.com)邮件。支持发送邮件、收取邮件列表、获取邮件正文。凭证从环境变量读取。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 105 次。
如何安装 腾讯企业邮箱/qqexmail?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install qqexmail」即可一键安装,无需额外配置。
腾讯企业邮箱/qqexmail 是免费的吗?
是的,腾讯企业邮箱/qqexmail 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
腾讯企业邮箱/qqexmail 支持哪些平台?
腾讯企业邮箱/qqexmail 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 腾讯企业邮箱/qqexmail?
由 hunger09(@hunger09)开发并维护,当前版本 v1.0.0。
推荐 Skills