imap-idle-sneder Security Report — Suspicious | ClawSafe

45 /100

imap-idle-sneder

IMAP IDLE email listener with Feishu notifications

Skill performs legitimate IMAP email monitoring but contains hardcoded credentials and undeclared network access to IMAP server and Feishu API.

Skill Nameimap-idle-sneder

Duration43.2s

Enginepi

⚠

Use with caution

Move all credentials to environment variables or a separate config file. Declare network:WRITE and credential access in SKILL.md. Consider using existing config management instead of hardcoding secrets.

Findings 5 items

Severity	Finding	Location
High	Hardcoded email credentials in source code Credential Theft QQ email authorization code stored as string literal PASSWORD = '****' in imap_idle.py line 37. If repo is public or shared, credentials are exposed. `PASSWORD = "****" # QQ邮箱授权码` → Move credentials to environment variables or a separate .env file that is .gitignored	`scripts/imap_idle.py:37`
High	Hardcoded Feishu API credentials Credential Theft Feishu APP_ID, APP_SECRET, and USER_ID stored as string literals in source code (lines 127-129), exposing integration credentials. `FEISHU_APP_ID = "******"` → Load from environment variables: os.environ.get('FEISHU_APP_ID')	`scripts/imap_idle.py:127`
Medium	Undeclared network access Doc Mismatch SKILL.md declares 'NONE' permissions but the script makes HTTP requests to open.feishu.cn and connects to imap.qq.com:993. Network access is critical to functionality but not documented. `No network permissions declared` → Update SKILL.md to declare network:WRITE for IMAP and Feishu API access	`SKILL.md:1`
Medium	Email content sent to third-party service Data Exfil Full email body (up to 500 chars), subject, sender name and email are forwarded to Feishu API. This data exfiltration is mentioned in docs but credential theft aspect is concerning. `body = email_info.get('body', '')[:200]...` → Document what data is sent externally. Consider if all email fields need to be transmitted.	`scripts/imap_idle.py:180`
Low	Dependencies without version pinning Supply Chain imap-tools and beautifulsoup4 used without version constraints. Could lead to unexpected behavior if a new version changes behavior. `from imap_tools import MailBox` → Pin versions: imap-tools>=0.45.0, beautifulsoup4>=4.9.0	`scripts/imap_idle.py:26`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`WRITE`	✗ Violation	scripts/imap_idle.py:136,198
Filesystem	`NONE`	`WRITE`	✗ Violation	scripts/imap_idle.py:52-53 writes to workspace and log files
Environment	`NONE`	`READ`	✗ Violation	Credentials should be env-based but are hardcoded

3 findings

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal

scripts/imap_idle.py:136

🔗

Medium External URL 外部 URL

https://open.feishu.cn/open-apis/im/v1/messages?receive_id_type=open_id

scripts/imap_idle.py:198

📧

Info Email 邮箱地址

[email protected]

scripts/imap_idle.py:36

File Tree

2 files · 18.4 KB · 485 lines

Python 1f · 407L Markdown 1f · 78L

├─ ▾ 📁 scripts

│ └─ 🐍 imap_idle.py Python 407L · 16.4 KB

└─ 📝 SKILL.md Markdown 78L · 1.9 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`imap-tools`	`*`	pip	No	Version not pinned
`beautifulsoup4`	`*`	pip	No	Version not pinned, used for HTML parsing

Security Positives

✓ Script functionality is legitimate - email notification service

✓ No reverse shell, C2 communication, or obvious malicious code

✓ No base64 encoding or obfuscation detected

✓ No attempts to access ~/.ssh, ~/.aws, or other credential paths

✓ Uses standard libraries (imaplib, urllib) rather than suspicious tools

Scan Report

Findings 5 items

File Tree

Dependencies 2 items

Security Positives