Back to skill
Skillv0.1.2
ClawScan security
Agentmail.to Inbox Ops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewFeb 23, 2026, 3:22 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to implement the described Agentmail inbox operations, but there are multiple metadata and disclosure inconsistencies you should resolve before installing (notably missing declared required env vars and small manifest mismatches).
- Guidance
- This skill appears to implement what it claims (list/read/reply/download/analyze attachments) and contains unit tests that exercise security-related behavior. However, before installing or running it you should: - Treat AGENTMAIL_API_KEY as a sensitive secret: set it only in a local .env and never commit that file. Confirm the registry metadata lists required env vars (it currently does not). The mismatch is a red flag for sloppy publishing. - Verify the AgentMail SDK dependency (package name and versions) is the official client you expect (check PyPI or the vendor docs) before running uv sync to install dependencies. - Note the scripts will write inbox_ops.log and any downloaded attachments to disk; make sure these paths are acceptable and .gitignored in your environment. - Be aware get_message.py prints full message text to stdout; integrate the skill only into systems that are authorized to see that content. - If you plan to enable PDF/DOCX extraction (--extract-text), follow the guardrails: run extraction in a sandbox/container and respect the time and size limits. - Consider asking the skill author (or maintainer) to: 1) update the registry metadata to declare AGENTMAIL_API_KEY and AGENTMAIL_INBOX as required env vars/primary credential, and 2) reconcile version numbers in the registry vs pyproject to avoid confusion. Given the inconsistencies, proceed cautiously — the code itself seems coherent with its purpose, but the publishing/metadata gaps reduce trust until corrected.
Review Dimensions
- Purpose & Capability
- concernThe code and SKILL.md implement an Agentmail inbox tool that requires AGENTMAIL_API_KEY and an inbox identifier; that is consistent with the stated purpose. However, the package/registry metadata does not declare any required env vars or a primary credential even though the scripts and README explicitly require AGENTMAIL_API_KEY and (usually) AGENTMAIL_INBOX. There's also a small version mismatch: registry shows 0.1.2 while pyproject.toml lists 0.1.3. These mismatches make the published metadata inconsistent with the actual capability and required credentials.
- Instruction Scope
- noteRuntime instructions are specific: run deterministic scripts in scripts/*. They instruct the agent/operator to place credentials in a local .env and run the included Python scripts. The scripts read .env (or --env-file), call the AgentMail SDK, download attachments over HTTPS, write files to a downloads/ directory and append structured logs to inbox_ops.log. They do not attempt to contact unexpected external endpoints beyond the client-provided attachment download URLs and the AgentMail SDK. Note: get_message.py emits message text to stdout (so whatever captures stdout will receive email bodies); this is expected but worth being aware of.
- Install Mechanism
- noteThere is no automated install spec (instruction-only from OpenClaw perspective), so users must run dependency installation themselves (uv sync). The project lists reasonable dependencies in pyproject.toml (agentmail, httpx, pypdf, python-docx, python-dotenv). No downloads from arbitrary URLs or extract operations are present. Because install is manual, ensure you vet the agentmail SDK package and dependency versions before installing.
- Credentials
- concernThe scripts legitimately need AGENTMAIL_API_KEY and an inbox identifier, and optionally AGENTMAIL_ALLOWED_SENDERS; that is proportionate to the described functionality. The problem is the registry metadata declares no required env vars or primary credential while SKILL.md, README, and the code all require those env vars. This inconsistency can mislead automated preflight checks and users. Also the SKILL.md instructs storing credentials in a local .env (normal) but you should avoid committing or sharing that file.
- Persistence & Privilege
- okThe skill does not request 'always: true' and does not modify other skills or system-wide configuration. It writes local logs (inbox_ops.log) and downloaded attachments to the skill folder (or an explicit --out-dir). Those are normal for this purpose but mean the skill creates persistent local artifacts that should be managed (ignored in VCS, cleaned up as needed).