QQ邮箱接收与发送skill - 读取QQ邮箱中的邮件和发送邮件到其他账号
Security Analysis
high confidenceThe skill's files and instructions match its stated purpose (reading via IMAP and sending via SMTP for QQ Mail); nothing in the package is requesting unrelated credentials, external endpoints, or surprising installs — but it does ask users to provide and store email auth codes locally, which has normal privacy implications.
Name/description (QQ 邮箱收发) align with included scripts (fetch_orders.py reads IMAP, send_email.py sends via SMTP) and declared dependencies (imap-tools, python-dotenv). No unrelated env vars, binaries, or config paths are requested.
SKILL.md instructs the agent to collect the user's QQ email and authorization code and write them into a local .env file; the scripts read that .env and perform only mailbox access and email sending. This is within scope, but collecting secrets via chat and persisting them in plaintext is a privacy/security concern (expected for purpose, but worth highlighting).
No install spec — instruction-only plus small Python scripts. Dependencies are standard Python packages from PyPI (imap-tools, python-dotenv). No downloads from arbitrary URLs or archive extraction are present.
The skill needs IMAP/SMTP credentials (authorization code) which are proportionate to its purpose. The package does not request other unrelated secrets. However, it encourages the user to paste the authorization code into the chat and to persist it in a plain .env file, which increases risk of credential exposure if the agent/chat logs or disk are not secured.
always is false and the skill is user-invocable; it does not attempt to modify other skills or system-wide settings. Its persistent effect is limited to creating/reading a local .env in the working directory (normal for this kind of tool).
Guidance
This skill appears to do what it claims (read/send QQ mail). Before installing/using: (1) Prefer generating an app-specific authorization code (not your QQ login password); (2) Do not paste secrets into public/shared chat history — if you must provide the auth code to an agent, ensure the agent runs locally or that the platform protects chat contents; (3) Restrict permissions of the .env file (e.g., chmod 600) or use a secure OS credential store instead of plaintext; (4) Inspect and run the scripts in an isolated environment (virtualenv/container); (5) Remove or rotate the auth code when no longer needed. If you need the agent to auto-save credentials, only proceed if you trust the runtime environment and storage location.
Latest Release
v1.0.0
QQemail-agent v1.1.0 - 全新添加对 QQ 邮箱收发邮件的支持,通过 IMAP 读取邮件、SMTP 发送邮件 - 新增用户首次使用时的对话式配置流程与 Agent 引导话术 - 提供手动与自动(.env文件写入)两种配置方式 - 发布详细使用说明和依赖安装文档 - 新增 `fetch_orders.py` 用于读取邮件,`send_email.py` 用于发送邮件
Popular Skills
Published by @cynic-joe on ClawHub
