Skulk Email
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it gives an agent broad access to read email and send messages from your mailbox without a built-in approval or scope limit.
Install only if you want your agent to access this mailbox. Use a dedicated account, keep credentials locked down, manually approve every outbound email, and treat all received email content as untrusted.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent invokes this command on the wrong prompt or after reading malicious email content, messages could be sent as the configured mailbox and may be hard to undo.
The send command posts an email immediately to user-supplied recipients using the stored mailbox login; the artifacts do not show a confirmation, dry-run, recipient scope, or rate/volume guard.
send) cmd_send "${2:?To address required}" "${3:?Subject required}" "${4:?Body required}" ;; ... --data-urlencode "_to=${to}" ... --data-urlencode "_message=${body}"Require explicit user approval before every send, consider recipient or domain allowlists and a dry-run mode, and use a dedicated low-privilege mailbox.
Anyone or any agent process that can use the skill with that credential file can access mailbox contents and send as that mailbox.
The skill needs mailbox passwords or app passwords and can use them to read and send through those accounts. This is expected for an email integration, but it is sensitive delegated authority.
Credentials: DreamHost mailbox email+password stored at ~/.config/skulk-email/credentials.json ... Gmail fields are optional
Use a dedicated mailbox or app password, keep the credential file private with strict permissions, rotate credentials if exposed, and avoid using a high-value personal or business mailbox.
A malicious email could try to manipulate the agent into taking actions such as replying, forwarding data, or sending new messages.
When reading a message, the script outputs raw email headers and body into the agent/user context. Email content is untrusted external input and could contain prompt-injection instructions.
print(f"Subject: {subject}") ... print(body.decode(charset, errors="replace"))Treat email bodies as untrusted data, do not follow instructions contained in messages, and require separate user confirmation before any action based on email content.
Users may not realize from the registry metadata that the skill depends on local command-line tools and mailbox credentials.
The registry metadata does not declare the binaries or credential contract that SKILL.md describes: python3, curl, jq, and ~/.config/skulk-email/credentials.json. This is under-declaration rather than hidden behavior because the SKILL.md discloses them.
Required binaries (all must exist): none ... Primary credential: none
Update metadata to declare required binaries and the mailbox credential requirement so users can review the needed local authority before installation.