recruit-email-monitor Security Report — High Risk | ClawSafe

68 /100

recruit-email-monitor

招聘邮件监控系统 - 自动检查邮箱、记录到表格、飞书通知、每日简报

Hardcoded real email credentials (QQ and 163 authorization codes) are exposed in source code, enabling unauthorized account access to anyone who downloads this skill.

Skill Namerecruit-email-monitor

Duration48.7s

Enginepi

⛔

Do not install this skill

CRITICAL: Remove all hardcoded credentials from source code. Use environment variables or a secure config file instead. Rotate the exposed authorization codes immediately. The real credentials at lines 19 and 25 of email-heartbeat-check.py must be replaced with placeholders or externalized to a .env file.

Attack Chain 4 steps

⬡

Escalation Attacker clones/downloads the skill from repository

github.com/nhaoxi/recruit-email-monitor

⬡

Escalation Attacker reads email-heartbeat-check.py and extracts hardcoded credentials

scripts/email-heartbeat-check.py:19

◉

Impact Attacker uses extracted credentials to access QQ email ([email protected]) via POP3

scripts/email-heartbeat-check.py:19

◉

Impact Attacker uses extracted credentials to access 163 email ([email protected]) via POP3

scripts/email-heartbeat-check.py:25

Findings 5 items

Severity	Finding	Location
Critical	Hardcoded QQ Email Authorization Code Credential Theft Real QQ email authorization code 'bxfwjdtvienzdihi' for account [email protected] is hardcoded directly in source code at line 19. This credential grants full POP3 access to the email account. `'password': 'bxfwjdtvienzdihi'` → Immediately rotate this authorization code in QQ mail settings and replace with environment variable: os.environ.get('QQ_EMAIL_AUTH_CODE')	`scripts/email-heartbeat-check.py:19`
Critical	Hardcoded 163 Email Authorization Code Credential Theft Real 163 email authorization code 'XStys36TXuV6geTq' for account [email protected] is hardcoded directly in source code at line 25. This credential grants full POP3 access to the email account. `'password': 'XStys36TXuV6geTq'` → Immediately rotate this authorization code in 163 mail settings and replace with environment variable: os.environ.get('MAIL_163_AUTH_CODE')	`scripts/email-heartbeat-check.py:25`
High	Documentation Shows Placeholders, Code Contains Real Credentials Doc Mismatch SKILL.md line 16 and INSTALL.md show placeholder credentials like '[email protected]' and 'your_auth_code', but the actual code contains real, working credentials. This creates a deceptive situation where documentation suggests configuration is needed, but real credentials are already present. `SKILL.md shows: 'user': '[email protected]', 'password': 'your_auth_code' vs actual: 'user': '[email protected]', 'password': 'bxfwjdtvienzdihi'` → Remove all real credentials from source code. Use placeholder values that clearly indicate configuration is required.	`scripts/email-heartbeat-check.py:16`
High	Hardcoded Author Path Exposure Sensitive Access Multiple hardcoded paths reveal the original author's username 'erhao' including /home/erhao/shared/ and /home/erhao/.openclaw/. This exposes private directory structure. `EXCEL_PATH = '/home/erhao/shared/招聘邮件汇总.xlsx'` → Use environment variables or relative paths for file storage: os.path.expanduser('~/shared/...') or get from config.	`scripts/email-heartbeat-check.py:51`
Medium	Hardcoded Feishu User ID Credential Theft Feishu user ID 'ou_8de02604ccd510eeb4897ffd70d96c1d' is hardcoded in both scripts at lines 155 and 281. While not a secret credential, it links the skill to a specific user. `'--target', 'user:ou_8de02604ccd510eeb4897ffd70d96c1d'` → Move to configuration file or environment variable.	`scripts/email-heartbeat-check.py:155`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	poplib.POP3_SSL connections to email servers (declared)
Filesystem	`WRITE`	`WRITE`	✓ Aligned	openpyxl workbook saves, JSON writes to /home/erhao/.openclaw/
Shell	`WRITE`	`WRITE`	✓ Aligned	subprocess.run(['openclaw', 'message', 'send']) at lines 155, 281

4 findings

📧

Info Email 邮箱地址

[email protected]

README.md:51

📧

Info Email 邮箱地址

[email protected]

README.md:58

📧

Info Email 邮箱地址

[email protected]

scripts/email-heartbeat-check.py:20

📧

Info Email 邮箱地址

[email protected]

scripts/email-heartbeat-check.py:27

File Tree

7 files · 37.8 KB · 1267 lines

Python 2f · 625L Markdown 3f · 575L JSON 2f · 67L

├─ ▾ 📁 scripts

│ ├─ 🐍 email-daily-briefing.py Python 243L · 8.5 KB

│ └─ 🐍 email-heartbeat-check.py Python 382L · 13.0 KB

├─ 📋 _meta.json JSON 24L · 806 B

├─ 📋 cron-jobs.json JSON 43L · 1.1 KB

├─ 📝 INSTALL.md Markdown 231L · 5.8 KB

├─ 📝 README.md Markdown 172L · 4.3 KB

└─ 📝 SKILL.md Markdown 172L · 4.3 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`openpyxl`	`*`	pip	No	Version not pinned but widely used, no known vulnerabilities relevant to this use case

Security Positives

✓ Subprocess usage for openclaw CLI is documented and declared

✓ No base64 encoding or obfuscation detected

✓ No reverse shell or C2 communication patterns

✓ No malicious dependencies detected (only openpyxl)

✓ No evidence of intentional data exfiltration beyond email monitoring purpose

Scan Report

Attack Chain 4 steps

Findings 5 items

File Tree

Dependencies 1 items

Security Positives