什么是 电子邮件重要性与内容分析？

此 Openclaw Skills 组件提供了一个强大的框架，通过优先考虑内容而非易于伪造的元数据，来评估电子邮件的紧急程度和真实性。与依赖发件人姓名的传统过滤器不同，此技能采用多层方法，包括主题优先分拣、技术标头验证（SPF/DKIM/DMARC）和行为内容分析。它使用户和自动化代理能够区分合法的优先级请求和复杂的社会工程尝试。

通过集成此逻辑，该技能确保敏感操作（如财务交易或帐户安全更新）经过零信任视角的审查。它不仅对重要性进行排序，还提供可操作的情报，说明如何使用带外方法安全地验证声明，而不是信任邮件正文中可能包含恶意链接或附件。

下载入口:https://github.com/openclaw/skills/tree/main/skills/shingo0620/email-importance-content-analysis

安装与下载

1. ClawHub CLI

从源直接安装技能的最快方式。

2. 手动安装

将技能文件夹复制到以下位置之一

优先级：工作区 > 本地 > 内置

3. 提示词安装

将此提示词复制到 OpenClaw 即可自动安装。

电子邮件重要性与内容分析 应用场景

• 对大容量收件箱进行自动分拣，以识别关键的财务、法律或安全警报。
• 检测通过相似域名绕过标准垃圾邮件过滤器的网络钓鱼和社会工程尝试。
• 为涉及敏感帐户访问或资金转移的电子邮件推荐安全的后续步骤。
• 总结复杂的邮件会话，同时识别原始标头中的特定技术风险。

1. 标题和主题分拣：对主题行和发件人进行低成本的首轮检查，以对明显的垃圾邮件或营销邮件应用快速丢弃规则。
2. 技术验证：分析原始电子邮件标头的 SPF、DKIM 和 DMARC 一致性，确保发件人域名已通过身份验证。
3. 可操作声明提取：从正文中提取有关请求操作、截止日期和所提供证据（如订单 ID）的事实数据。
4. 操作分类：根据请求的敏感程度（如凭据重置或发票结算）对重要性进行排序。
5. 风险模式检测：审查内容中的危险信号，如强迫性的紧迫感、保密要求或奇怪的支付方式（如礼品卡）。
6. 安全验证建议：建议通过官方应用程序或已知 URL 验证邮件声明的、安全的带外方法。
7. 结构化输出生成：生成详细报告，包括优先级、技术裁定和具体的建议操作。

电子邮件重要性与内容分析 配置指南

要在您的环境中启用此技能，请确保您的代理可以访问原始电子邮件数据或标头分析工具的输出。此技能旨在处理由 Openclaw Skills 兼容集成提供的文本格式电子邮件表示。

# 启动邮件分析会话的示例
openclaw run email-importance-analysis --input-file="original_email.eml"

电子邮件重要性与内容分析 数据架构与分类体系

name: email-importance-content-analysis
description: Judge whether an email is important/urgent using content-based analysis rather than sender name or mailbox labels (which can be spoofed). Use when asked to triage emails, decide priority, detect phishing/social-engineering, or recommend next actions (reply/pay/login/download/click) based on what the message asks the user to do.

Email Importance Content Analysis

Use a subject/title-first triage, then perform technical verification (headers/links/attachments) only when warranted, and only then validate with content analysis. Treat sender display name, badges, labels, and “From” appearance as untrusted.

Workflow (title → technical → content)

1) Title/subject + sender triage (cheap first-pass)

Use only: subject line + sender (display name + email address/domain as shown). Do not click anything.

Important: treat sender as weak signal (can be spoofed). Use it for triage only.

1A) Fast-drop rules (save time)

If the sender looks obviously sloppy/spoofed AND the email is not expected, classify as Likely scam/ads and stop (do not spend time on technical verification). Examples of fast-drop signals:

• Display name claims a bank/government/major brand but the address is from a free mailbox (gmail/outlook/163/qq) or unrelated domain
• Lookalike domains / typo-squatting: paypaI (I/l), micros0ft (0/O), extra -secure/-verify, weird punctuation
• Suspicious TLDs or brand stuffed into subdomain: brand.security-check.example.com
• Very unprofessional local-part patterns (random digits/strings) while claiming official identity
• Pure promo patterns (promo/marketing/news) + obvious sales subject ? treat as ads

1B) Escalate rules (to technical verification)

Escalate for technical verification if subject OR sender implies any of:

• Money/settlement: 扣款/圈存/付款/退款/發票/帳單/對帳單/繳費
• Account/security: 登入/驗證/密碼重設/異常登入/停權/封鎖/安全警告
• Delivery/download: 文件下載/取件號碼/包裹/物流失敗
• Urgency/threat: 最後通知/24小時內/立即/否則將…
• Execution: 附件/請下載/請開啟/啟用巨集

If the subject is clearly marketing/newsletter and no action is implied ? usually stop here (Low).

If it triggers the fast-drop rules, you may label it as:

• Importance: Low
• Risk: Medium–High (spoof attempt)
• Next step: Do not click; optionally mark as spam/block

2) Technical verification (only for emails that passed title triage)

Prefer evaluating raw email headers / “Show original” output (or via gog gmail get). Check:

• Authentication-Results: SPF / DKIM / DMARC results (pass|fail|neutral) and note which domain they authenticate
• Alignment: whether DKIM d= domain / SPF MAIL FROM / DMARC aligns with the visible From domain
• From vs Reply-To mismatch
• Links and attachments:
  • Expand the real target domain (hover/copy link) — don’t trust anchor text
  • Note risky attachments (e.g., .zip, .iso, .js, .vbs, .docm, password-protected archives)

If headers are not available, mark Technical verdict = Unknown and increase caution.

3) Extract the actionable claims (facts only) — only if technical verification passes

From the email body, list:

• What happened / what they claim happened
• What they want the recipient to do (and by when)
• What account/system/money is involved
• What evidence they provide (order id, invoice id, ticket id, last-4 digits, timestamps)

4) Classify the required action (drives importance)

Rank higher if it requires any of:

• Account access / authentication: login, password reset, 2FA codes, device approval
• Money movement: payment, wire, subscription renewal, invoice settlement, refunds
• Permissions / security posture: granting access, changing roles, API keys, OAuth consent
• Software execution: download/open an attachment, run a file, enable macros
• Data disclosure: personal/company info, documents, ID numbers

5) Content risk patterns (red flags)

Increase risk if the content shows:

• Urgency / threat: “within 24h”, “account will be closed”, “legal action”, “final notice”
• Secrecy / bypass: “don’t tell others”, “use personal email”, “avoid normal process”
• Mismatch / vagueness: generic greeting, unclear context, missing specifics the real sender would know
• Odd requests: asking for OTP, gift cards, crypto, remote access, or direct bank changes
• Link/attachment pressure: “click to verify”, “download to view”, “enable macros”

6) Choose safe verification (do not trust the email path)

Even if SPF/DKIM/DMARC pass, for sensitive actions recommend out-of-band verification:

• Navigate via known official entry points (typed URL, app, bookmark), not email links
• If it claims an account issue: check account status by logging in from official site/app
• If it’s a vendor/payment issue: verify using the invoice/order id inside the official portal
• If it’s workplace related: verify via internal ch@t/phone using known contacts

7) Output: priority + next action

Always provide:

• Title triage verdict: Escalate / Ignore
• Technical verdict: Pass / Fail / Unknown
• Importance level: Critical / High / Medium / Low
• Risk level: High (likely phishing) / Medium / Low
• Recommended next step: what to do now, what not to do, and how to verify

Decision Heuristics (quick)

• Technical FAIL (SPF/DKIM/DMARC fail or obvious mismatch) + any call-to-action ? Risk: High (treat as phishing) regardless of “importance”.
• Critical: money/credentials/permissions + urgency OR any request for OTP/macro/remote access.
• High: requires action soon, could cause loss of access/service interruption, but can be verified safely via official channels.
• Medium: informational but relevant; no immediate sensitive action.
• Low: newsletters, marketing, generic updates with no action.

Response Template (use in replies)

• Title triage (why it escalates / why it can be ignored):
• Technical verification (SPF/DKIM/DMARC + alignment + From/Reply-To + link/attachment notes):
• Summary (1–2 lines):
• What it’s asking you to do:
• Why it may matter (impact if ignored):
• Red flags (if any):
• Safe verification path:
• Recommendation (do / don’t):