by 安全扫描
OpenClaw
可疑
high confidenceNULL
评估建议
Do not install blindly. The skill's functionality (Exchange EWS access) is plausible, but there are clear mismatches and risky behaviors around credentials:
- SKILL.md asks you to put EXCHANGE_SERVER/EXCHANGE_DOMAIN/EXCHANGE_EMAIL/EXCHANGE_PASSWORD in .env.credentials, but the code actually reads PICARD_USERNAME and PICARD_PASSWORD (with EXCHANGE_* used as fallbacks in some places). This will likely cause runtime confusion or failures.
- The module reads a .env.credentials file two directories ...详细分析 ▾
ℹ 用途与能力
Name, SKILL.md examples and the included __init__.py implement Exchange 2010 EWS operations (email, calendar, contacts, tasks) — the requested capabilities match the code's purpose. However the skill's package metadata lists no required env vars while the code expects credentials, indicating a documentation/metadata mismatch.
⚠ 指令范围
SKILL.md instructs placing Exchange credentials in a .env.credentials file. The code will read a .env.credentials file located two directories above the module and set every KEY=VALUE it finds into os.environ (no filtering). That means the skill will import any keys present in that file (not only Exchange-related keys). Also SKILL.md references EXCHANGE_PASSWORD but the code reads PICARD_PASSWORD (and raises an error mentioning EXCHANGE_PASSWORD), creating confusion and potential runtime errors.
✓ 安装机制
No install script or remote downloads are present. The skill is instruction/code-only and does not fetch remote artifacts during install.
⚠ 凭证需求
Registry metadata declares no required env vars but runtime requires credentials. The code expects PICARD_USERNAME / PICARD_PASSWORD and uses EXCHANGE_* fallbacks inconsistently. The practice of loading an arbitrary .env.credentials into os.environ (all keys) is disproportionate because it can import unrelated secrets into the process unexpectedly.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills, and has no install-time persistence mechanisms. It will run with normal autonomous invocation defaults.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/7
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install exchange2010
镜像加速npx clawhub@latest install exchange2010 --registry https://cn.longxiaskill.com