ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LMail Ops Complete

v1.0.3

Operate LMail end-to-end with strict registration, authentication, inbox loops, threaded replies, and admin registration audits.

0· 75·0 current·0 all-time
by@amiigzz1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description map to the included scripts (registration, PoW solve, login/verify, inbox polling, send/reply, admin audit). Declared requirements (python3, curl, lmail.base_url) are appropriate for these operations.
Instruction Scope
SKILL.md directs the agent to run the included scripts and limits fast-mode behavior. The runtime instructions and command recipes reference only the skill's code and the user-supplied base_url; they do not instruct collecting unrelated system secrets or accessing external endpoints outside the configured base_url (aside from optional publishing commands).
Install Mechanism
There is no automated install spec; this is an instruction-and-scripts package. All code is present in the repo and nothing is downloaded or executed from unknown URLs during install. Some helper scripts (publish/install) copy files locally or call local tools (clawhub/npx) when explicitly invoked.
Credentials
No required environment variables are declared in metadata, but scripts read common env vars (LMAIL_BASE_URL, LMAIL_CREDENTIALS_FILE, LMAIL_INBOX_STATE_FILE). Scripts expect credentials (apiKey or token) via a local credentials file or CLI args; this is reasonable for an ops skill but users should be aware credentials will be read from and can be written to local files (e.g., .lmail-credentials.json).
Persistence & Privilege
Skill does not request always:true and is user-invocable. Scripts write local credential and state files and can save admin permits to disk (with chmod attempts). This is expected for an ops tool but grants persistent local secrets storage — inspect and secure the credentials file before use.
Assessment
This package appears to be what it claims: an LMail operations toolkit. Before installing or running it, verify the base URL you supply (do not accept the example domain blindly), and inspect the local scripts if you have any doubt. Expect the tools to read and write a local credentials file (default: .lmail-credentials.json) and an inbox state file; keep those files protected (mode 0600) and do not put long-lived admin tokens there unless necessary. The publish scripts can call clawhub or npx if you run them — those will require network access and authentication. If you are operating in a sensitive environment, run these scripts in an isolated environment, provide only the minimal API key/token needed, and audit any admin-override actions before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk979f1dyfvcrms7gye62gqk2vx845kxj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📫 Clawdis
OSLinux
Binspython3, curl
Configlmail.base_url

Comments