MailCheck Email Verification
PassAudited by ClawScan on May 10, 2026.
Overview
The skill matches its advertised MailCheck email-verification purpose, but it does send selected email data and a MailCheck API key to the MailCheck service.
This looks safe to use for its stated purpose if you are comfortable sharing the submitted email addresses or headers with MailCheck. Use a limited API key via an environment secret, avoid pasting keys into prompts, and verify the publisher/source if you rely on provenance.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The key can consume MailCheck account quota and grants whatever access that key has; passing it as a command argument may also expose it in command history or logs depending on the host.
The skill can use a user-supplied or environment MailCheck API key and forwards it as the credential for MailCheck API requests.
const apiKey = api_key || process.env.MAILCHECK_API_KEY; ... 'Authorization': `Bearer ${apiKey}`Prefer a scoped MailCheck API key stored as an environment secret, avoid putting keys directly in prompts, and rotate the key if it may have been exposed.
Email addresses and headers may include personal or internal routing information that leaves the local agent environment for analysis by MailCheck.
The authenticity command sends user-provided email headers and trusted-domain context to the MailCheck provider; the verification commands similarly send email addresses.
fetch('https://api.mailcheck.dev/v1/verify/auth', ... body: JSON.stringify({ headers, trusted_domains: trusted_domains || [] })Submit only email addresses or headers you are willing to share with MailCheck, redact unnecessary header data where possible, and review the provider's privacy and retention terms.
It may be harder to independently confirm that this registry package corresponds to the claimed upstream project.
The registry-level provenance fields do not identify a source or homepage, even though the package includes source files and repository references.
Source: unknown; Homepage: none
If provenance matters, verify the publisher and repository manually before installing; prefer versions with registry source and homepage metadata populated.