扫描报告
0 /100
tuta-mail
Send, read, and manage emails via Tuta (formerly Tutanota) encrypted email service
Legitimate Tuta encrypted email client with proper E2E cryptography, no credential exfiltration, and no malicious behavior.
可以安装
This skill is safe to use. Ensure pip dependencies are version-pinned in production for reproducibility.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ,WRITE | WRITE | ✓ 一致 | SKILL.md:session-file / scripts/tuta_client.py:save_session (line 204) |
| 网络访问 | READ,WRITE | READ,WRITE | ✓ 一致 | SKILL.md declares API usage at https://app.tuta.com/rest/ |
| 命令执行 | NONE | NONE | — | No subprocess or shell execution; uses Python directly |
| 环境变量 | NONE | NONE | — | No direct environment variable access; credentials from openclaw.json |
2 项发现
中危 外部 URL 外部 URL
https://app.tuta.com/rest/ SKILL.md:8 中危 外部 URL 外部 URL
https://app.tuta.com/rest scripts/tuta_client.py:30 目录结构
2 文件 · 24.8 KB · 672 行 Python 1f · 588L
Markdown 1f · 84L
├─
▾
scripts
│ └─
tuta_client.py
Python
└─
SKILL.md
Markdown
依赖分析 4 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
requests | * | pip | 否 | Version not pinned in SKILL.md documentation |
pycryptodome | * | pip | 否 | Version not pinned |
bcrypt | * | pip | 否 | Version not pinned |
argon2-cffi | * | pip | 否 | Version not pinned |
安全亮点
✓ End-to-end encryption properly implemented with AES-128-CBC + HMAC-SHA256
✓ Session files stored with restrictive permissions (chmod 0o600)
✓ MAC verification prevents ciphertext tampering
✓ Argon2id supported for newer accounts with secure parameters (time_cost=4, memory_cost=32MB)
✓ Bcrypt cost factor (8 rounds) with SHA-256 pre-hashing for legacy accounts
✓ All network requests exclusively to legitimate Tuta API endpoint (app.tuta.com)
✓ Credentials used only for key derivation, never stored or exfiltrated
✓ No base64-encoded execution, reverse shells, or C2 communication
✓ No credential harvesting beyond legitimate login flow
✓ Proper PKCS7 padding removal with validation