Email Analyzer Security Report — High Risk | ClawSafe

62 /100

Email Analyzer

Analyzes, backs up, and deletes emails from [email protected] based on keyword filtering

The skill contains hardcoded credentials (email authorization code) in plaintext within source code and documentation, presenting significant credential exposure risk if the repository becomes public or is shared.

Skill NameEmail Analyzer

Duration45.4s

Enginepi

⛔

Do not install this skill

Remove hardcoded credentials from source code. Use environment variables or a secrets manager (e.g., .env file with .gitignore) to store the authorization code. The SKILL.md should reference environment variables rather than exposing the actual credential.

Attack Chain 3 steps

⬡

Escalation Attacker obtains repository or accesses skill files

SKILL.md:1

⬡

Escalation Attacker extracts hardcoded authorization code from email_analyzer.py CONFIG

email_analyzer.py:17

◉

Impact Attacker gains unauthorized access to [email protected] mailbox using harvested credentials

N/A

Findings 4 items

Severity	Finding	Location
High	Hardcoded Email Authorization Code Credential Theft The IMAP authorization code 'WUEw8qhBwjzpUAZW' for [email protected] is hardcoded in plaintext within email_analyzer.py CONFIG dictionary. If the repository is exposed or shared, this credential could be harvested. `"password": "WUEw8qhBwjzpUAZW"` → Move credentials to environment variables: os.environ.get('EMAIL_AUTH_CODE')	`email_analyzer.py:17`
High	Credentials Exposed in Documentation Doc Mismatch SKILL.md explicitly documents the full authorization code in the固化配置 table (lines 18-19), making it trivial to extract credentials from documentation alone. `授权码 \| WUEw8qhBwjzpUAZW` → Replace actual credential with placeholder: '授权码 \| $EMAIL_AUTH_CODE'	`SKILL.md:18`
Medium	Email Content Access Without User Consent Flow Sensitive Access The view_email.py script fetches full RFC822 email content including body text. While documented, there's no user confirmation step before retrieving full email content. `# View Specific Email Content - 查看指定邮件完整内容` → Add user confirmation prompt before fetching full email body	`view_email.py:1`
Low	Credentials Not Pinned in Dependencies Credential Theft The imapclient library is used without explicit version pinning in requirements.txt (no requirements.txt found). `from imapclient import IMAPClient` → Add requirements.txt with pinned versions: imapclient==2.3.1	`email_analyzer.py:6`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	IMAPClient connects to imap.126.com for email access
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Writes JSON backup files and analysis reports
Shell	`WRITE`	`WRITE`	✓ Aligned	Shell script wraps Python execution; all documented

1 findings

📧

Info Email 邮箱地址

[email protected]

SKILL.md:12

File Tree

9 files · 33.0 KB · 1174 lines

Python 7f · 856L Markdown 1f · 211L Shell 1f · 107L

├─ 🐍 backup.py Python 61L · 1.7 KB

├─ 🐍 delete_selective.py Python 138L · 4.2 KB

├─ 🐍 delete.py Python 86L · 2.4 KB

├─ 🐍 email_analyzer.py Python 301L · 9.9 KB

├─ 🔧 email-analyzer.sh Shell 107L · 2.8 KB

├─ 📝 SKILL.md Markdown 211L · 4.9 KB

├─ 🐍 verify.py Python 60L · 1.6 KB

├─ 🐍 view_details.py Python 99L · 2.7 KB

└─ 🐍 view_email.py Python 111L · 2.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`imapclient`	`unpinned`	pip import	No	No requirements.txt or version constraint found

Security Positives

✓ No reverse shell or C2 infrastructure detected

✓ No data exfiltration to external IPs beyond legitimate IMAP connection

✓ All shell operations are documented and necessary for the stated purpose

✓ Deletion operations require explicit --confirm flag and manual 'yes' input

✓ Backup functionality preserves data before deletion

✓ No obfuscation techniques (base64, eval) detected

✓ IMAP connection is to legitimate 126.com server only

Scan Report

Attack Chain 3 steps

Findings 4 items

File Tree

Dependencies 1 items

Security Positives