by 安全扫描
OpenClaw
安全
medium confidenceNULL
评估建议
This skill appears to do what it says: use browser automation to compose and send emails. Key things to consider before installing:
- It will use your logged-in browser session and can read and send emails on your behalf. Only enable it for accounts you trust.
- Because it acts inside your browser, it can access email content (including sensitive messages). Avoid giving it access to high-value or corporate accounts unless you trust the skill's provenance.
- The package is instruction-only an...详细分析 ▾
✓ 用途与能力
Name and description match the SKILL.md: the skill uses browser automation to draft, reply, and send emails for Gmail, Outlook, QQ Mail, 163/126. It requests no unrelated binaries, env vars, or installs; the resources it needs (a browser session) are consistent with its stated purpose.
ℹ 指令范围
The instructions explicitly perform actions in the user's browser session: opening provider URLs, inspecting page DOM, filling recipient/subject/body fields, and clicking send. This is expected for an email-sending skill, but it does grant the skill the ability to read mailbox content and send messages on the user's behalf. The SKILL.md includes a privacy warning, which is appropriate. There are no instructions to exfiltrate data to external endpoints or to access other system files.
✓ 安装机制
No install spec and no code files (instruction-only). This minimizes disk footprint and there are no remote downloads or package installs to review.
✓ 凭证需求
The skill declares no required environment variables, no primary credential, and no config paths. That is proportionate: it relies on an existing browser session rather than asking for separate credentials. No unexplained secrets are requested.
ℹ 持久化与权限
always:false and user-invocable:true (default). The skill can be invoked autonomously by the agent (platform default), which in combination with browser access would allow autonomous sends if the agent chooses to run it — this is not abnormal, but it increases the potential impact if the skill is invoked without explicit user confirmation.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.42026/3/24
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install email-composer
镜像加速npx clawhub@latest install email-composer --registry https://cn.longxiaskill.com