中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:1 day ago Rescan
20 /100
welderjustin-imap-smtp-email
Read and send email via IMAP/SMTP
A legitimate IMAP/SMTP email skill with undocumented filesystem operations for attachment handling. No malicious behavior detected, but SKILL.md omits required filesystem READ/WRITE capabilities.
Skill Namewelderjustin-imap-smtp-email
Duration58.4s
Enginepi
Safe to install
Add filesystem:READ and filesystem:WRITE to SKILL.md metadata under requires.resources for the attachment and file body features. The code implements proper path validation with ALLOWED_READ_DIRS and ALLOWED_WRITE_DIRS, so no functional risk exists.

Findings 3 items

Severity Finding Location
Low
Missing filesystem:WRITE declaration Doc Mismatch
The SKILL.md metadata declares only env and bins, but imap.js downloads attachments to disk using ALLOWED_WRITE_DIRS. This filesystem write operation is not declared.
metadata.openclaw.requires.env: [IMAP_HOST, IMAP_USER, ...]
→ Add 'resources: { filesystem: WRITE }' to requires section or document attachment download as a file system operation.
 SKILL.md:10
Low
Missing filesystem:READ declaration Doc Mismatch
Both imap.js and smtp.js read files (attachments, body-file, subject-file) from ALLOWED_READ_DIRS, but this filesystem read capability is not declared in SKILL.md.
metadata.openclaw.requires
→ Add filesystem:READ to the declared resources if file body/attachment features are to be used.
 SKILL.md:10
Low
Undeclared environment variables Priv Escalation
ALLOWED_READ_DIRS and ALLOWED_WRITE_DIRS are required environment variables for the skill to function, but they are not mentioned in SKILL.md metadata.
process.env.ALLOWED_WRITE_DIRS
→ Document ALLOWED_READ_DIRS and ALLOWED_WRITE_DIRS as required environment variables in SKILL.md.
 scripts/imap.js:30
ResourceDeclaredInferredStatusEvidence
Filesystem NONE READ ✗ Violation scripts/smtp.js:8 dotenv config, scripts/imap.js:215 attachment download, script…
Filesystem NONE WRITE ✗ Violation scripts/imap.js:260 fs.writeFileSync for attachments
Network NONE READ ✓ Aligned IMAP connection via imap library - implied by email tool functionality
Network NONE WRITE ✓ Aligned SMTP connection via nodemailer - implied by email tool functionality
Environment IMAP_HOST,IMAP_USER,IMAP_PASS,SMTP_HOST,SMTP_USER,SMTP_PASS IMAP_HOST,IMAP_USER,IMAP_PASS,SMTP_HOST,SMTP_USER,SMTP_PASS,ALLOWED_READ_DIRS,ALLOWED_WRITE_DIRS ✓ Aligned ALLOWED_READ_DIRS and ALLOWED_WRITE_DIRS not declared in metadata
4 findings
🔗
Medium External URL 外部 URL
https://myaccount.google.com/apppasswords
SKILL.md:66
📧
Info Email 邮箱地址
[email protected]
SKILL.md:33
📧
Info Email 邮箱地址
[email protected]
SKILL.md:43
📧
Info Email 邮箱地址
[email protected]
scripts/imap.js:48

File Tree

6 files · 33.8 KB · 1268 lines
JavaScript 2f · 822L Markdown 1f · 211L Shell 1f · 199L JSON 2f · 36L
├─ 📁 scripts
│ ├─ 📜 imap.js JavaScript 588L · 15.1 KB
│ └─ 📜 smtp.js JavaScript 234L · 6.5 KB
├─ 📋 _meta.json JSON 5L · 134 B
├─ 📋 package.json JSON 31L · 764 B
├─ 🔧 setup.sh Shell 199L · 4.8 KB
└─ 📝 SKILL.md Markdown 211L · 6.6 KB

Dependencies 5 items

PackageVersionSourceKnown VulnsNotes
imap ^0.8.19 npm No Standard IMAP client library
imap-simple ^5.1.0 npm No Promise-based IMAP wrapper
nodemailer ^7.0.13 npm No Standard SMTP library
mailparser ^3.9.3 npm No Email parsing library
dotenv ^16.6.1 npm No Environment variable loader

Security Positives

✓ No base64 encoding, obfuscation, or anti-analysis techniques found
✓ No reverse shell, RCE, or arbitrary command execution
✓ No credential exfiltration or data theft
✓ Path traversal protection implemented via validateWritePath and validateReadPath
✓ ALLOWED_READ_DIRS and ALLOWED_WRITE_DIRS provide directory whitelisting
✓ Proper .env handling with 600 permissions in setup.sh
✓ All dependencies are legitimate email packages (imap, nodemailer, mailparser, dotenv)
✓ Symlink resolution in validateReadPath prevents path traversal attacks
✓ No curl|bash or remote script execution
✓ No access to ~/.ssh, ~/.aws, or other credential paths