mailbox.bot
v4.0.0Real mailing address for your AI agent. Receive, scan, and forward postal mail — or send letters and documents. CMRA postal mail infrastructure your agent ma...
⭐ 2· 1.4k·1 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill advertises a CMRA-backed virtual mailbox, scanning, webhooks, and outbound printing — and the SKILL.md contains API calls, webhook/HMAC notes, and pricing that match that purpose. There are no declared env vars or binaries required by the registry, and the SKILL.md only references service-specific variables (MAILBOX_BOT_API_KEY, MAILBOX_BOT_URL) which are appropriate for an API integration.
Instruction Scope
Instructions stay within the mailbox service domain (signup, API calls, webhook handling, MAILBOX.md standing instructions). However, the guide explicitly shows how to create an operator account via curl (including a plaintext password example) and encourages programmatic signup on behalf of a human operator. That workflow can lead agents to create accounts or store credentials without explicit human consent — this is a behavioral risk to review before enabling automation.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes on-disk risk because nothing is downloaded or automatically installed by the skill.
Credentials
The registry lists no required environment variables or credentials. The SKILL.md documents optional service-specific variables (API key and base URL) which are proportionate to calling a remote mailbox API. The skill also describes HMAC-signed webhooks — requiring a webhook secret — which is expected for authenticity; ensure you provision and protect that secret.
Persistence & Privilege
always is false and model invocation is allowed (the default). The skill does not request permanent platform-wide privileges or modify other skills/configuration. Autonomous actions (e.g., auto-forwarding mail) are possible via the service and should be configured with care, but the skill itself does not assert elevated platform privileges.
Assessment
This skill appears coherent for integrating a virtual mailbox service, but take these precautions before installing:
- Verify the service and domain (https://mailbox.bot) and the referenced GitHub repo to ensure the provider is legitimate and trustworthy.
- Prefer supplying your own API key rather than letting the agent create an operator account. If you must automate signup, do so with explicit human approval and avoid embedding plaintext passwords in agent-accessible places.
- Configure webhook HMAC secrets and verify signatures on incoming webhooks before acting automatically. Limit webhook endpoints to known URLs and rotate secrets periodically.
- Restrict agent autonomy for high-impact actions (forwarding, certified mail, shredding, legal responses). Require human-in-the-loop approval for legal/certified mail and anything that incurs real-world cost or legal obligations.
- Review pricing, KYC, and privacy terms; this skill handles sensitive physical mail and personally identifiable information, so confirm compliance with your policies.
If you want a higher-assurance verdict, provide the full SKILL.md contents (untruncated) or a link to the referenced GitHub repository so I can inspect any additional instructions (e.g., webhook examples, MAILBOX.md syntax) that might change the assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk979cjfpnmtt8qe30w9m0qjhm983k5r1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.