by 安全扫描
OpenClaw
可疑
medium confidence该技能的代码和运行指令大致匹配邮件到日历的自动化功能,但存在元数据不一致和值得审查的运营行为(自动标记/存档邮件、修改 HEARTBEAT.md、发送通知、读写工作空间文件),在安装前应仔细审查。
评估建议
["在安装和启用前,请检查以下内容:","1. 自行或与可信任的开发人员一起审查包含的脚本(scripts/*.sh 和 scripts/utils/*.py),因为它们实现了所有提供商交互、投票跟踪和撤销——真正的行为在那里。","2. 了解该技能将读取您的未读邮件,提取 URL 和截止日期,并默认可能将处理的消息标记为已读并存档,并可能发送截止日期通知邮件。如果不想要自动更改,请在首次运行前将 ~/.config/email-to-calendar/config.json 中的 email_handling.auto_dispose_calendar_replies、email_handling.mark_read 和 email_handling.archive 设置为 false。","3. 确认提供商权限:该技能假设一个邮件/日历提供商(例如 'gog' CLI)。仅授予必要的最小权限(读取消息、创建/更新事件)并验证是否允许删除/发送权限。","4. 元数据不匹配(ownerId/slug/版本不一致和重复前置元数据版本)降低了来源保证。更好地选择具有一致元数据的技能或向维...详细分析 ▾
ℹ 用途与能力
The declared purpose (extract events from email and manage calendar entries) matches the included scripts and Python utilities which implement searching emails, extracting events, duplicate detection, creating/updating/deleting events, tracking, and undo support. Minor incoherences: package/metadata fields show different slugs/versions/ownerIds (SKILL.md shows multiple version lines; _meta.json/package.json owner/slug/version do not fully match the registry metadata), and package.json declares read/create/update capabilities but the code also implements delete and email-sending flows. These metadata mismatches don't prove maliciousness but reduce trust and should be resolved.
⚠ 指令范围
SKILL.md instructs agents to run wrapper scripts under ~/.openclaw/workspace/skills/email-to-calendar/scripts and to read/write various files outside the skill (e.g., ~/.config/email-to-calendar/config.json, ~/.openclaw/workspace/HEARTBEAT.md, and memory/index.json). The instructions mandate scanning ALL unread emails (direct mode) and ALWAYS extracting/including URLs from email bodies. The skill also documents automatic disposition (mark as read/archive) and auto-processing of calendar reply emails. Those behaviors are coherent with the feature set but are high-impact: they modify inbox state, can create/delete calendar events, write persistent audit/heartbeat files, and may send notification emails. The SKILL.md also enforces use of wrapper scripts (not calling 'gog' directly) — sensible for bookkeeping but worth auditing because it centralizes all provider interactions in the scripts.
✓ 安装机制
There is no external install/download step in the registry entry (instruction-only), and all code is included in the bundle. No remote URLs or extract/install steps were observed. That lowers supply-chain risk compared with remote installers.
ℹ 凭证需求
The registry lists no required environment variables; package.json lists required binaries (python3, bash, jq) and the SKILL.md/SETUP.md expect an email/calendar provider (example 'gog' CLI). The skill accesses local config and memory files under the user's home/workspace rather than requesting unrelated cloud credentials. However, the skill can send email (gog gmail send) and delete calendar events — capabilities that require sensitive permissions. Ensure the agent is granted only the minimal provider capabilities needed and confirm deadline_notifications and auto-disposition defaults before enabling.
⚠ 持久化与权限
The skill writes persistent state to ~/.openclaw/workspace/memory/email-to-calendar/* and ~/.config/email-to-calendar/config.json and suggests adding sections to HEARTBEAT.md. It auto-disposes calendar notifications and (by default config examples) may auto-mark emails as read/archive and send notification emails. While 'always' is false and the skill doesn't request platform-wide always-on privilege, the persistent read/write behaviour and inbox/calendar modification are significant and should be authorized explicitly by the user.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/25
doro-email-to-calendar 1.0.0 - 初始发布:从邮件中提取日历事件并创建日历条目。- 支持直接收件箱监控和转发邮件处理模式。- 包括智能入站、事件追踪、撤销支持、截止日期检测与提醒事件以及待处理邀请提醒。- 使用包装脚本进行所有操作以确保跟踪并防止重复。- 具有严格的规则以防止错误的事件创建并可靠地管理重复。- 宣布为多个日历/邮件提供商提供强大的配置和可扩展性。
● 可疑
安装命令 点击复制
官方npx clawhub@latest install doro-email-to-calendar
镜像加速npx clawhub@latest install doro-email-to-calendar --registry https://cn.clawhub-mirror.com
技能文档
功能描述
从邮件中提取日历事件和截止日期,呈现给用户审查,并创建或更新日历条目,具有重复检测和撤销支持。...使用指南
- 安装:
npm install doro-email-to-calendar - 配置:编辑
~/.config/email-to-calendar/config.json - 运行:
doro-email-to-calendar --watch
高级配置
请参阅 SKILL.md 中的详细文档(保留英文,未翻译)数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制