ShellMail - Email Built for AI Agents
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill is coherent and transparent about providing agent email/OTP access, but users should treat its persistent inbox token and mail-management actions as sensitive.
Before installing, make sure you are comfortable giving the agent persistent access to a ShellMail inbox and its OTPs. Use a dedicated agent-only mailbox, confirm any send/delete actions, and remove or revoke the token when you no longer need the skill.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with this token can access the ShellMail inbox and OTPs until the token is removed or revoked.
The token grants broad access to email contents and verification codes, which is expected for this skill but important for users to understand before enabling it.
This skill requires a sensitive `SHELLMAIL_TOKEN` that grants full access to your inbox and OTPs.
Use a dedicated ShellMail inbox for agent workflows, avoid personal email, review the config.patch command before saving the token, and revoke the token when no longer needed.
If invoked incorrectly, the agent could send messages or remove mail from the ShellMail account.
The CLI can send email, reply to messages, delete individual emails, and delete the address and mail, so it has mail-mutation capabilities beyond passive inbox reading.
send <to> ... reply <id> ... delete <id> ... delete-address Delete address and all mail
Require explicit user intent for sending, replying, deleting messages, or deleting the address, and review destructive actions before execution.
Email content and OTP retrieval depend on the ShellMail service and the configured API URL.
The skill sends authenticated requests to the ShellMail provider to retrieve mail and OTP data, which is disclosed and central to the skill's function.
API_URL="${SHELLMAIL_API_URL:-https://shellmail.ai}" ... curl -sf "$API_URL/api/mail/otp${PARAMS:+?$PARAMS}" -H "$(auth_header)"Only use this with a ShellMail provider you trust, keep the default API URL unless intentionally self-hosting, and avoid routing personal or highly sensitive accounts through this inbox.