扫描未读Aliyun企业邮箱邮件，判断并标记显著垃圾/钓鱼邮件为垃圾邮件，支持短信二次验证，报告简短中文状态。
SKILL.md

# ztpc-spam-sweep
## Purpose
Use a persistent OpenClaw browser profile to access **http://mail.ztpc.com/** (Aliyun Enterprise Mail),
scan **UNREAD** emails only, and conservatively mark obvious spam / phishing as **Spam** (never delete).
The skill's final message to the user MUST be **Chinese** and **short** (summary only).

> Key constraint: This mailbox may sometimes require captcha/SMS/2FA.
> - Captcha / slider / click-to-verify: always stop and report that manual verification is required.
> - SMS 2FA: if `interactive_2fa=true` (human-in-the-loop), you may request the code from the user and continue; otherwise stop.

---

## Invocation / Inputs
Invoke as:
`/skill mail-spam-sweep {"dry_run": true|false, "max": <int>, "interactive_2fa": true|false}`

- `dry_run` (default: `false`):
  - `true`: evaluate and report only; **do not** click "Mark as spam".
  - `false`: mark decided SPAM emails as spam (no deletion).
- `max` (default: `20`, hard cap: `50`): max number of **unread** emails to evaluate.
- `interactive_2fa` (default: `false`):
  - `false` (recommended for cron/unattended runs): if SMS/2FA is required, STOP and report manual verification needed.
  - `true` (interactive runs only): if SMS/2FA page appears, the skill may:
    1) click "Send Verification Code",
    2) ask the user to provide the SMS code (usually 6 digits, valid ~5 minutes),
    3) fill the code and proceed,
    4) tick "trusted device" if available to reduce future prompts.

---

## Required files
### 1) secrets.json (required)
Path:
`~/.openclaw/workspace/skills/ztpc-spam-sweep/secrets.json`

Format:
```json
{"username":"ztpc@ztpc.com","password":"YOUR_PASSWORD"}
```

Rules:
- Never print the secret values.
- If secrets.json is missing or invalid -> stop with Chinese status message.

### 2) allowlist.txt (optional but strongly recommended)
Path:
`~/.openclaw/workspace/skills/ztpc-spam-sweep/allowlist.txt`

Format: one entry per line (domain or full email). `#` starts a comment.
Example:
```
# trusted domains
ztpc.com
cnpe.cc
cgnpc.com.cn
```

Matching rule:
- If sender email matches an allowlisted **email**, or sender domain matches an allowlisted **domain**,
  the message is **NEVER** treated as spam (unless explicit blocklist match).

### 3) blocklist.txt (optional)
Path:
`~/.openclaw/workspace/skills/ztpc-spam-sweep/blocklist.txt`

Format: one entry per line (domain or full email). `#` starts a comment.

Matching rule:
- If sender email/domain matches blocklist -> SPAM (highest priority).

---

## HARD RULES (must follow)
1. Always reuse the SAME persistent browser profile:
   - Use OpenClaw's configured `defaultProfile` (recommended: `openclaw`).
   - Do NOT use a temporary/clean profile.
2. **Only scan UNREAD** messages.
   - Do NOT iterate the whole Inbox.
   - Do NOT open every email; rely on the mail list row fields (sender/subject/preview/flags).
3. Never delete emails. The only destructive action allowed is:
   - Mark as spam / move to spam folder.
4. Verification handling:
   - If the login flow requires **captcha / slider / click-to-verify** => STOP and report in Chinese:
     `状态：需要人工验证（验证码/二次验证）`
   - If the login flow requires **SMS 2FA**:
     - If `interactive_2fa=true`: proceed with human-in-the-loop SMS code entry (see Step 1).
     - Else: STOP and report:
       `状态：需要人工验证（验证码/二次验证）`
5. Final output must be a **single Chinese report** (no step-by-step narration).
6. Never output credentials or any sensitive data.

---

## Spam / Phishing decision policy (supports Chinese + English)
### Priority order
1) **Blocklist hit** -> SPAM
2) **Allowlist hit** -> NOT SPAM (skip)
3) Otherwise -> apply heuristic rules below.

### A. Strong-evidence rules (SPAM immediately)
Mark as SPAM if ANY of the following is true:

**A1. Brand / authority impersonation + mismatch**
- Sender display name contains authority keywords (examples below),
  AND sender domain is NOT clearly matching that authority context.

Authority keywords (Chinese/English examples):
- Chinese: `管理员`, `安全中心`, `客服`, `官方`, `银行`, `税务`, `法院`, `公安`, `财务`, `出纳`, `人事`, `IT`, `邮箱`, `系统`
- English: `admin`, `security`, `support`, `official`, `bank`, `tax`, `court`, `police`, `finance`, `hr`, `it`

**A2. Financial / process hijack / urgent secrecy**
Subject or preview contains patterns like:
- `紧急`, `立即`, `限时`, `最后一次`, `逾期`, `冻结`, `异常`, `验证`, `认证`, `升级`, `重新登录`, `安全提醒`
AND at least one of:
- `转账`, `付款`, `汇款`, `收款账户变更`, `开票信息变更`, `财务指令`, `保密`, `不要走流程`
OR a suspicious link/download instruction:
- `点击链接`, `下载`, `附件查看`, `打开文件`

**A3. Obvious scam / phishing template**
- “领导让我联系你/马上转账/不要告诉别人/保密/紧急付款”
- “司法/公安/法院/税务通知，要求点击链接或下载附件”
- “工资/补贴/报销异常，需要重新认证/登录验证”

**A4. Non-business mass marketing pattern**
- Subject contains heavy marketing/lottery keywords AND sender is unknown/untrusted:
  `中奖`, `返利`, `贷款`, `低息`, `套现`, `博彩`, `娱乐城`, `发票代开`, `代开发票`, `刷单`, `兼职日结`, `理财高收益`, `稳赚`
  (Treat as SPAM unless allowlisted.)

### B. Scoring rules (for borderline Chinese spam/phishing)
If no strong-evidence rule hit, compute a risk score from subject + preview + sender signals.

Score additions (examples):
- (+3) Contains: `点击链接|登录验证|重新认证|过期|异常|冻结|升级|安全提醒`
- (+2) Contains: `紧急|立即|限时|最后一次提醒|逾期`
- (+2) Contains finance-ish tokens: `账单|发票|报销|付款|转账|合同款|对账`
- (+2) Has attachment indicator AND sender not allowlisted
- (+3) Sender appears to be free email (`qq.com|163.com|126.com|gmail.com|outlook.com`) while claiming authority keywords
- (+1) Sender appears "new/unknown" (cannot be verified; default +1 when not allowlisted)

Score reductions:
- (SKIP) Allowlist hit => NOT SPAM (handled earlier)
- (-2) Subject contains obvious internal/project keywords AND sender domain looks corporate
  (Examples: `联系单`, `函`, `函件`, `项目部`,`月报`, `周报`, `日报`)

Decision threshold:
- score >= **6** => SPAM
- else => NOT SPAM / UNCERTAIN (leave untouched)

> This is intentionally conservative; tune thresholds/keywords by editing this file and your allowlist.

---

## Procedure (browser automation)
### Step 0: Setup
- Read `secrets.json`.
- Load allowlist/blocklist if present.

### Step 1: Open and login
1. Open browser using the persistent OpenClaw profile.
2. Navigate to `http://mail.ztpc.com/`.
3. Detect whether already logged in:
   - If the UI shows mailbox main layout (folders like 收件箱/未读邮件/垃圾邮件 etc) => logged in.
   - Else, if login iframe/panel is visible => proceed to login.
4. Login (if needed):
   - Fill username + password from `secrets.json`.
   - Click 登录.
   - If login fails with “用户名或密码错误” => STOP and report:
     `状态：登录失败（账号或密码错误）`
   - If a captcha / slider / click-to-verify appears (e.g. “请输入验证码” + image, sliding puzzle, click-confirm) => STOP and report:
     `状态：需要人工验证（验证码/二次验证）`
   - If an **SMS/2FA** page appears (e.g. "Authentication", "SMS", "Send Verification Code", masked mobile number):
     - If `interactive_2fa=false` => STOP and report:
       `状态：需要人工验证（验证码/二次验证）`
     - If `interactive_2fa=true` (interactive runs only):
       1) Click **Send Verification Code**.
       2) Prompt the user (in Chinese) to provide the SMS code (typically 6 digits; valid ~5 minutes).
       3) Fill the code into the input (e.g. textbox "Please input").
       4) If present, tick **Set as a trusted device** (or equivalent wording) to reduce future prompts.
       5) Click **Next** and wait for mailbox main UI.
       6) If still blocked by additional verification => STOP and report:
          `状态：需要人工验证（验证码/二次验证）`

### Step 2: Navigate to UNREAD ONLY
- Click the left folder **“未读邮件”** (or a dedicated Unread filter).
- Do NOT open “收件箱” list unless Unread folder is unavailable.
- If Unread folder is not found, try UI search/filter for unread.
- Cap evaluation to `max` items.

### Step 3: Extract rows (lightweight)
For each unread mail row (up to `max`):
- Extract at least:
  - sender display name
  - (if visible) sender email / domain
  - subject
  - preview snippet (one-line)
  - attachment indicator (if visible)

IMPORTANT:
- Do NOT open the mail body unless necessary to find sender email/domain (prefer not to).
- If sender email/domain cannot be obtained from list view, decide using display name + subject + preview only.

### Step 4: Decide and act
For each row:
1. If allowlist match => keep (NOT SPAM).
2. Else if blocklist match => SPAM.
3. Else apply strong-evidence rules; if match => SPAM.
4. Else score; if score >= 6 => SPAM; else keep.

Action:
- If `dry_run=true`: do not click spam; only record decisions.
- If `dry_run=false` and decided SPAM:
  - Select the message (checkbox or row select)
  - Click UI action to mark as spam / move to spam:
    - typically a “垃圾邮件” button or a “更多” menu -> “标记为垃圾邮件”
  - Ensure the UI action is “mark/move to spam”, not delete.

### Step 5: Final report (Chinese, strict)
Return exactly ONE final message with this structure:

```
✅ 状态：完成（dry_run=<true|false>, max=<N>）
🗑️ 垃圾邮件处理：<S> 封
- <发件人> — <主题>
...

⚠️ 非垃圾/不确定（未处理）：<K> 封
- <发件人> — <主题>
...
```

If stopped for manual verification:
```
⛔ 状态：需要人工验证（验证码/二次验证）
说明：检测到登录需要验证码/二次验证，请先在同一浏览器 profile 中手动完成一次验证，然后再次运行本技能。
```

If secrets missing:
```
⛔ 状态：缺少配置（secrets.json）
说明：请在 ~/.openclaw/workspace/skills/ztpc-spam-sweep/secrets.json 填写用户名与密码。
```

---

## Notes / Tuning tips
- **Most important**: keep your allowlist current for business domains to avoid false positives.
- If you see recurring spam from a stable domain/email, add it to `blocklist.txt`.
- This skill intentionally avoids reading the entire Inbox to reduce cost and noise.
Ztpc Spam Sweep

SKILL.md

related skills
