ClawHub

Thrd Skill

v1.2.7

Provision a dedicated inbox for your AI agent and manage email safely via thrd.email. Includes instant onboarding, inbound polling, reply/send (idempotent +...

2· 580·0 current·0 all-time
byThrd.@sergiorico1
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (provision and manage an agent inbox) align with the requested resources: python3 and a single service API key (THRD_API_KEY). Required binaries, env var, endpoints, and included scripts are consistent with an email API client and onboarding/polling functionality.
Instruction Scope
SKILL.md only instructs use of included scripts and controlled API endpoints (api.thrd.email) and explicitly warns not to write API keys to disk. One operational risk: scripts/onboard.py prints the newly provisioned api_key to stdout as machine-parsable JSON (then asks user to store it in a secret manager). That is convenient but means the API key could be captured in logs or stdout collectors if the runtime captures stdout; users should treat that output as sensitive.
Install Mechanism
No complex install procedure; metadata suggests running 'pip install -r requirements.txt' which only pulls 'requests' from PyPI. This is a standard, expected dependency for these scripts and not disproportionate.
Credentials
Only THRD_API_KEY is required and used where expected (checkout.py and poll_daemon.py check it; onboarding does not require it). The number and type of env vars are proportional. Minor metadata inconsistency: the registry metadata lists no primary credential while the skill does require THRD_API_KEY.
Persistence & Privilege
The skill does persist non-secret runtime state: it writes an OpenAPI cache under .cache/openapi.json and a cursor file (.thrd_cursor) by default. It does not write API keys to disk, per the author, but printing the api_key to stdout could lead to leakage via logs. always:false and normal autonomous invocation settings are appropriate.
Assessment
This skill appears to do exactly what it claims: provisioning and managing an isolated agent inbox on thrd.email. Before installing, verify the skill source/owner (no homepage is listed and the source is 'unknown'), and prefer installing/testing in a sandboxed runtime. Store THRD_API_KEY in your platform's secret manager rather than as a literal env var in shared shells or logs. Be aware that onboarding prints the new api_key to stdout (machine-readable) — if your runtime captures stdout to logs, copy the key immediately into your secret store and rotate it if needed. Review and approve the small pip dependency (requests). If you require stricter containment, run the scripts in an isolated environment and confirm that the default cache (.cache) and cursor files are stored where you expect.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📧 Clawdis
Binspython3
EnvTHRD_API_KEY
latestvk9784vgp5bp7axby2mkj6wbz99818taf
580downloads
2stars
1versions
Updated 1mo ago
v1.2.7
MIT-0
Thrd.@sergiorico1
latest
Download

Thrd Email Skill

This skill helps you create and operate an isolated inbox for an AI agent using thrd.email, without connecting your personal inbox.

Safety by default: don't connect your primary inbox to an agent; use a dedicated agent inbox.

Workflows

Sync API Contract (Recommended Before Tool Use)

To avoid stale assumptions, refresh the OpenAPI contract and read info.version:

python3 scripts/openapi_sync.py
python3 scripts/openapi_sync.py --print-version

This uses HTTP cache validators (ETag/Last-Modified) and only re-downloads when changed.

Provision a New Email Account

To create a new email account, run the onboarding script:

python3 scripts/onboard.py --agent-name "My Agent" [--tenant-name "My Company"]

This prints a JSON payload to stdout that includes api_key and the new inbox address. Treat api_key as a secret.

Security note: Do not write your API key to disk. Store it in your runtime's secret manager and set THRD_API_KEY as an environment variable. (The rest of the tools require THRD_API_KEY; onboarding does not.)

Upgrade Plan (Billing)

To start paid billing for your current tenant, use the checkout script:

python3 scripts/checkout.py <plan_name>

Plans:

  • sandbox -> Sandbox Starter (9 EUR/month, raises Tier 1 monthly limit from 100 to 2,000 emails)
  • limited -> Tier 2
  • verified -> Tier 3

Forward the resulting Stripe URL to your human owner for payment.

Human Claiming (Verification)

Tier 3 (Verified Outbound) requires a responsible human linked via X.

  • Start the flow: POST /v1/claim/x/start
  • Forward the claim_url to your human owner.
  • Check status: GET /v1/claim/x/status

Proof of Reasoning (PoR)

Cold outbound (Tier 3) may require a reasoning challenge to prevent spam.

  • If you receive a 428 por_required error, solve the logical challenge provided in the response.
  • Re-send the request with por_token and por_answer.

Manage Emails and Track Delivery

For detailed API usage (polling, sending, replying, trust scores, and checking delivery status), see references/api.md. Note: replies use reply-all behavior by default: they preserve historical CC and keep recipients from the latest inbound To line so participants are not dropped. Tier2+ may add CC via cc[]. In Tier1, cc[] may only contain addresses already present in that thread's CC history. Security note: when Prompt Shield marks an inbound email as high-risk, Tier2/3 flows may require creating a short-lived security_ack_token (POST /v1/security/ack) before reply/send. Quota note: use GET /v1/usage to monitor monthly usage (used, remaining, state, reset_at) and avoid hitting hard limits mid-run.

Wake-Up Strategy (Recommended)

Many LLM runtimes do not reliably maintain background polling. Use wake webhooks when possible:

  • Configure webhook: PUT /v1/wake/webhook
  • Read status: GET /v1/wake/webhook
  • Disable webhook: DELETE /v1/wake/webhook

THRD sends signed inbox.pending pings, then your runtime should immediately pull with GET /v1/events and ACK.

Fallback when webhooks are not available:

python3 scripts/poll_daemon.py --cursor-file .thrd_cursor --on-events "echo inbound-ready"

This keeps pull-based delivery alive without requiring a public webhook endpoint. Security note: --on-events runs in safe argv mode (no shell). Shell operators like ;, &&, pipes, or redirects are not supported.

Tools

  • scripts/onboard.py: Instant provisioning of a new email inbox.
  • scripts/checkout.py: Generate a Stripe Checkout URL for upgrades.
  • scripts/openapi_sync.py: Refresh/cache latest OpenAPI and read current info.version.
  • scripts/poll_daemon.py: Fallback long-poll daemon for runtimes without wake webhook support.

Comments

Loading comments...