Back to skill
Skillv1.1.0
ClawScan security
MailCheck Email Verification · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 28, 2026, 10:59 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is largely what it claims (an integration with api.mailcheck.dev) but the registry metadata omits the fact it needs an API key and the package includes executable code — a mismatch that users should understand before installing.
- Guidance
- This skill appears to implement exactly what it says: it sends supplied emails/headers to api.mailcheck.dev and requires a MailCheck API key. However, the registry metadata does not declare that MAILCHECK_API_KEY is required — the SKILL.md and code do. Before installing: (1) treat your API key as a secret — prefer setting MAILCHECK_API_KEY in your agent's secure environment rather than pasting keys into command arguments or examples; (2) consider creating a dedicated MailCheck key with minimal scope and rotate/revoke it if exposed; (3) review the published GitHub repo (https://github.com/bnuyts/mailcheck-skill) to confirm authorship and any updates; (4) be aware that sending full email headers can include PII and authentication artifacts (SPF/DKIM/Message-IDs) — only send what you need; (5) ask the publisher or registry to correct the metadata to declare MAILCHECK_API_KEY as a required env var so the permission model is accurate.
Review Dimensions
- Purpose & Capability
- noteName, README, SKILL.md, package.json, and index.js all describe an email verification integration with api.mailcheck.dev and the code performs the described POSTs to /v1/verify, /v1/verify/bulk, and /v1/verify/auth. Functionality matches the stated purpose.
- Instruction Scope
- okRuntime instructions only call the MailCheck API endpoints and accept parameters (email(s), headers, trusted_domains, api_key). They do not instruct the agent to read unrelated files, system credentials, or to call external endpoints other than api.mailcheck.dev.
- Install Mechanism
- noteThere is no install spec (instruction-only in registry), but the package includes index.js and package.json — i.e., code will run on the agent platform. No external downloads or opaque installers are used. This is reasonable but the absence of an install spec should be noted by users who expect instruction-only skills.
- Credentials
- concernSKILL.md and index.js expect a MAILCHECK_API_KEY env var or an api_key parameter, but the registry metadata lists no required environment variables or primary credential. The skill legitimately needs an API key to function, so the metadata omission is an incoherence and could lead to confusion or accidental key exposure (examples show inline keys).
- Persistence & Privilege
- okSkill is not marked always:true, does not request system-level config paths, and does not modify other skills. It runs as a normal (user-invocable / agent-invokable) skill.