ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proton Mail

v1.0.1

Manage ProtonMail emails via Playwright browser automation. Login, read, send, and manage your encrypted inbox.

0· 615·0 current·0 all-time
byChristopher@christopher-schulze
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's declared purpose (automating ProtonMail via Playwright) aligns with the required binaries (node, playwright) and the runtime instructions. However, the registry metadata lists no required environment variables or primary credential while the SKILL.md repeatedly instructs using PROTON_EMAIL and PROTON_PASSWORD — this mismatch is incoherent and should have been declared in the skill manifest. The skill owner/source is unknown which reduces trust.
!
Instruction Scope
The SKILL.md instructs the agent to perform full browser automation including logging in, reading, and sending encrypted email — which is expected — but it also explicitly includes bot-detection evasion code (overriding navigator.webdriver and disabling automation-related features). That behavior goes beyond normal automation guidance and could violate site TOS or be abused. The instructions also encourage storing credentials in environment variables but do not specify secure handling, nor does the manifest declare those env vars.
Install Mechanism
There is no centralized install spec in the registry (instruction-only), but the SKILL.md suggests installing Playwright via npm and running `npx playwright install chromium`. Those are standard installer paths (no third-party download URLs). Still, the Chromium install will download browser binaries at runtime; because the skill relies on npx installs and running a browser, users should inspect all commands before executing them in production environments.
!
Credentials
The skill requires the user's ProtonMail credentials to function (email/password), which is reasonable for UI automation, but the manifest fails to declare any required env vars or primary credential. Requiring highly sensitive credentials without declaring them in the registry metadata (and without guidance on secure storage or least privilege) is a proportionality and transparency issue. Also the skill asks users to disable sandboxing flags which can increase host risk if run on shared systems.
Persistence & Privilege
The skill is not marked always:true and does not request special platform persistence. It is user-invocable and allows autonomous model invocation (the platform default). The skill does not request or attempt to modify other skills or system-wide agent settings in the provided instructions.
What to consider before installing
This skill appears to do what it says (browser automation for ProtonMail) but exercise caution before installing or running it. Items to consider: 1) Manifest mismatch — the SKILL.md asks you to supply PROTON_EMAIL and PROTON_PASSWORD but the registry metadata does not declare these as required credentials; ask the publisher to correct the manifest so you clearly know what secrets will be used. 2) Bot-evasion code — the instructions explicitly disable automation detection and recommend disabling the Chromium sandbox; this can violate ProtonMail's terms and raises operational and security risks (especially the --no-sandbox flag on multi-user hosts). 3) Credential safety — only run this in a trusted, isolated environment (not on shared servers) and prefer ephemeral accounts or Proton-approved methods (Bridge/API) if available. 4) Source verification — the skill’s source is unknown; verify the author/publisher and review the exact code you will run. 5) If you decide to run it, avoid running with --no-sandbox on production/shared machines, ensure the environment variables are injected securely, and consider manual review or running in a locked-down container/VM. If you want, I can draft a checklist of safe operational steps or a safer alternative approach (e.g., Proton Bridge or official APIs) based on your environment.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📧 Clawdis
Binsplaywright, node
latestvk972nfbz9zh4rfdjky1r006wfs8186jn
615downloads
0stars
2versions
Updated 7h ago
v1.0.1
MIT-0
Christopher@christopher-schulze
latest
Download

ProtonMail 📨

Your encrypted inbox, automated. Because checking emails manually is so 2010.

What it does

  • Login to any ProtonMail account securely
  • Read emails from your inbox
  • Send new emails with compose functionality
  • Manage your mailbox like a pro

All via Playwright browser automation. No API keys, no IMAP/SMTP headaches - just a real browser doing real browser things.

Why this exists

You have better things to do than clicking through ProtonMail's beautiful (but slow) UI. Let your agent handle it. While you relax. Or code. Or whatever it is you do.

We built this because:

  1. ProtonMail's web UI is... leisurely
  2. Automation is hot
  3. Why click when you can script?

Requirements

The Basics

  • Node.js 18+ (20+ recommended)
  • Playwright 1.40+ (npm install playwright)
  • Chromium browser (npx playwright install chromium)

System Dependencies (Linux)

# Ubuntu/Debian
sudo apt-get update
sudo apt-get install -y libnss3 libnspr4 libatk1.0-0 libatk-bridge2.0-0 libcups2 libdrm2 libxkbcommon0 libxcomposite1 libxdamage1 libxfixes3 libxrandr2 libgbm1 libasound2 libpango-1.0-0 libcairo2

# Raspberry Pi / ARM
sudo apt-get install -y chromium-browser

The Secret Sauce (Bot Detection Bypass)

This skill includes enterprise-grade bot detection evasion:

// Launch with stealth args
await chromium.launch({ 
  headless: true,
  args: [
    '--disable-blink-features=AutomationControlled',
    '--no-sandbox',
    '--disable-setuid-sandbox',
    '--disable-dev-shm-usage'
  ]
});

// Hide webdriver property
await page.addInitScript(() => {
  Object.defineProperty(navigator, 'webdriver', { get: () => undefined });
});

This makes Chrome think it's being controlled by a human. Mostly works. ✨

Quick Start

1. Login

const { chromium } = require('playwright');

async function loginProton(email, password) {
  const browser = await chromium.launch({ 
    headless: true,
    args: ['--disable-blink-features=AutomationControlled', '--no-sandbox']
  });
  
  const context = await browser.newContext({
    userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36',
  });
  
  const page = await context.newPage();
  await page.addInitScript(() => {
    Object.defineProperty(navigator, 'webdriver', { get: () => undefined });
  });
  
  await page.goto('https://account.proton.me/login');
  await page.waitForTimeout(2000);
  
  await page.fill('#username', email);
  await page.fill('#password', password);
  await page.click('button[type=submit]');
  await page.waitForTimeout(3000);
  
  return { browser, context, page };
}

2. Check Inbox

await page.goto('https://mail.proton.me/inbox');
await page.waitForTimeout(2000);

const emails = await page.evaluate(() => {
  return Array.from(document.querySelectorAll('.item')).map(e => ({
    subject: e.querySelector('.subject')?.innerText,
    sender: e.querySelector('.sender')?.innerText,
    time: e.querySelector('.time')?.innerText
  }));
});

console.log(emails);

3. Read Email

await page.click('.item:first-child');
await page.waitForTimeout(2000);

const content = await page.evaluate(() => 
  document.querySelector('.message-content')?.innerText
);

4. Send Email (Tested & Working)

// Navigate to compose
await page.goto('https://mail.proton.me/compose');
await page.waitForTimeout(3000);

// Use keyboard navigation (most reliable)
// Tab to recipient field
await page.keyboard.press('Tab');
await page.waitForTimeout(500);

// Type recipient
await page.keyboard.type('recipient@email.com');
await page.waitForTimeout(500);

// Tab to subject
await page.keyboard.press('Tab');
await page.waitForTimeout(500);

// Type subject
await page.keyboard.type('Your subject here');
await page.waitForTimeout(500);

// Tab to body
await page.keyboard.press('Tab');
await page.waitForTimeout(500);

// Type message
await page.keyboard.type('Your message here...');

// Send with Ctrl+Enter
await page.keyboard.press('Control+Enter');
await page.waitForTimeout(3000);

5. Logout (please, it's polite)

await page.click('button[aria-label="Settings"]');
await page.click('text=Sign out');
await browser.close();

Environment Variables

Don't hardcode passwords (seriously, don't):

export PROTON_EMAIL="your@email.com"
export PROTON_PASSWORD="yourpassword"

Then in code:

const email = process.env.PROTON_EMAIL;
const password = process.env.PROTON_PASSWORD;

Complete Example

const { chromium } = require('playwright');

async function main() {
  const email = process.env.PROTON_EMAIL || 'your@email.com';
  const password = process.env.PROTON_PASSWORD || 'yourpassword';
  
  const browser = await chromium.launch({ 
    headless: true,
    args: ['--disable-blink-features=AutomationControlled', '--no-sandbox']
  });
  
  const context = await browser.newContext({
    userAgent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36',
  });
  
  const page = await context.newPage();
  await page.addInitScript(() => {
    Object.defineProperty(navigator, 'webdriver', { get: () => undefined });
  });
  
  // Login
  await page.goto('https://account.proton.me/login');
  await page.fill('#username', email);
  await page.fill('#password', password);
  await page.click('button[type=submit]');
  await page.waitForTimeout(5000);
  
  // Go to compose
  await page.goto('https://mail.proton.me/compose');
  await page.waitForTimeout(3000);
  
  // Send email using keyboard navigation (most reliable)
  await page.keyboard.press('Tab');
  await page.keyboard.type('recipient@email.com');
  await page.keyboard.press('Tab');
  await page.keyboard.type('Test Subject');
  await page.keyboard.press('Tab');
  await page.keyboard.type('Hello! This is a test email.');
  await page.keyboard.press('Control+Enter');
  
  await page.waitForTimeout(3000);
  console.log('📧 Email sent!');
  
  await browser.close();
}

main();

Limitations

  • 2FA: Can't do 2FA via automation (use a browser on your device for initial login, then cookie session)
  • Rate limiting: ProtonMail might throttle you if you go crazy
  • Dynamic UI: Class names change. Use text selectors or ARIA when possible
  • Headless detection: Works mostly, but Proton might occasionally notice

Troubleshooting

"chromium not found"

npx playwright install chromium

Bot detection / Login fails

  • Verify bot detection bypass is enabled
  • Check user agent string is current
  • Try headed mode for testing

Timeout errors

  • Increase waitForTimeout values
  • Check your internet
  • ProtonMail might be rate limiting

"libX11 not found"

Install system dependencies (see Requirements section)

Security Notes

  • 🔒 Credentials should come from environment variables, not hardcoded
  • 🔑 Use app-specific passwords if ProtonMail supports them
  • 📝 Always logout when done
  • 🍪 Session cookies can be saved for re-use (advanced)

Made with 🦞🔒

From Claws for Claws. Because reading emails manually is for plebs.

HQ Quality Approved.

Comments

Loading comments...