Crinkl Claws
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill is coherent and purpose-aligned, but it works by reading receipt emails, sending raw email contents to Crinkl for DKIM verification, and storing a Crinkl key in agent memory.
Before installing, make sure you are comfortable with an agent periodically searching receipt emails and sending raw receipt messages to Crinkl. Prefer the dedicated AgentMail inbox if you want tighter separation from your primary Gmail account, and revoke or clear the stored API key when you stop using the skill.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Once configured, the agent may periodically scan for recent billing emails and submit matching receipts without asking about each individual email.
The skill is designed for recurring automated tool use across email search, raw message retrieval, and receipt submission. This is disclosed and purpose-aligned, but users should understand the automation scope.
*Run each cycle. Find billing emails, verify DKIM signatures, submit to earn sats.*
Use the dedicated AgentMail path if possible, or confirm that recurring Gmail scanning is acceptable before pairing the wallet and granting email access.
The agent can read matching email content through the configured provider and use the Crinkl API key to submit receipts and check earnings.
The skill uses delegated email access and a Crinkl API key tied to a wallet. These privileges are expected for the integration and are disclosed, but they are still sensitive.
`CRINKL_API_KEY` ... `Stored in agent memory. Revocable anytime.` ... `Your human authorizes read-only Gmail access through gog's OAuth setup.`
Verify that Gmail access is read-only, revoke the Crinkl key if you stop using the skill, and prefer a dedicated inbox if you do not want the agent accessing your main mailbox.
Receipt email contents leave the email provider and are processed by Crinkl, even though the skill says the original email is discarded after verification.
Raw RFC 2822 billing emails are sent to Crinkl's remote MCP/tooling so DKIM can be verified. This data flow is central to the purpose and disclosed, but raw receipts may contain personal or purchase details.
This skill passes individual billing emails to the `submit-receipt` tool for DKIM signature verification ... the server must receive the same bytes the mail server signed.
Install only if you trust Crinkl's handling of raw receipt emails; consider using AgentMail with a dedicated receipt inbox to limit exposure.
A retained API key or message history could remain available to future agent sessions until removed or revoked.
The skill creates persistent memory entries for a credential and submitted email identifiers. This is operationally useful, but it is persistent state that should be protected and cleared when no longer needed.
Store this as your `CRINKL_API_KEY` ... Track message IDs you've already submitted in your memory.
Clear the stored key and message IDs when uninstalling or disabling the workflow, and revoke the Crinkl API key from the Crinkl app if needed.
Your security depends partly on the Crinkl MCP service and any email-access skill you install alongside it.
The skill is instruction-only locally and depends on a remote MCP server plus optional external skills for email access. This is disclosed, but the local artifact review cannot inspect the remote service behavior.
`crinkl`: { `url`: `https://mcp.crinkl.xyz/mcp` } ... Install the **gog** skill ... Install the **agentmail** skillReview and trust the Crinkl service and the chosen email skill before granting access; keep the dependency set minimal.