技能详情(站内镜像,无评论)
作者:Jay @AIDidMyHomework
许可证:MIT-0
MIT-0 ·免费使用、修改和重新分发。无需归因。
版本:v1.0.0
统计:⭐ 0 · 31 · 0 current installs · 0 all-time installs
⭐ 0
安装量(当前) 0
🛡 VirusTotal :良性 · OpenClaw :可疑
Package:aididmyhomework/tutacom
安全扫描(ClawHub)
- VirusTotal :良性
- OpenClaw :可疑
OpenClaw 评估
The skill appears to implement a Tuta/Tutanota client as claimed, but its runtime instructions and packaged code ask the agent to store sensitive secrets and decrypted keys in places not declared by the registry metadata and contain other inconsistencies and a likely code error — proceed with caution.
目的
The script implements login, inbox, read, and send functionality against https://app.tuta.com/rest, which matches the skill description. However the registry metadata claims no required environment variables or config paths, while SKILL.md instructs the user to store TUTA_EMAIL and TUTA_PASSWORD in openclaw.json under skills.entries.tuta-mail.env. That metadata/requirements mismatch is a clear incoherence.
说明范围
Runtime instructions tell the agent to save a session file containing access token and decrypted keys to /tmp/tuta_session.json and to store credentials in openclaw.json (agent config). Saving decrypted keys to disk and instructing to place plaintext credentials into the agent config increases exposure and is not declared in the skill metadata. The instructions also require installing Python crypto packages and use an undocumented REST API — u…
安装机制
This is an instruction-only skill with an included Python script. There is no formal install spec; the SKILL.md recommends pip installing dependencies. That is a moderate-risk, common pattern for script-based skills but means code will be executed locally and dependencies installed at runtime.
证书
The client legitimately needs the user's Tuta email and password, which the SKILL.md requests as TUTA_EMAIL and TUTA_PASSWORD. However the registry metadata lists no required env vars or primary credential and declares no required config paths. The SKU asks to persist decrypted passphrase_key and group keys in the session file (sensitive material). The credential storage and lack of metadata declaration are disproportionate/ inconsistent.
持久
always:false and model invocation allowed (defaults) — normal. The SKILL.md asks the user to write credentials into openclaw.json (agent config) and to persist a session file under /tmp; writing its own session file is normal for a client, but storing sensitive decrypted keys in a broadly accessible file and modifying agent config without the metadata declaring config usage increases the risk profile.
安装(复制给龙虾 AI)
将下方整段复制到龙虾中文库对话中,由龙虾按 SKILL.md 完成安装。
请把本段交给龙虾中文库(龙虾 AI)执行:为本机安装 OpenClaw 技能「Manage your tuta.com account」。简介:Send, read, and manage emails via Tuta (formerly Tutanota) encrypted email serv…。
请 fetch 以下地址读取 SKILL.md 并按文档完成安装:https://raw.githubusercontent.com/openclaw/skills/refs/heads/main/skills/aididmyhomework/tutacom/SKILL.md
(来源:yingzhi8.cn 技能库)SKILL.md
暂无本地缓存内容,可在后台执行详情同步。