uspeedo-email-sending-channel
Security checks across malware telemetry and agentic risk
Overview
This instruction-only skill is clearly intended to send user-confirmed email through uSpeedo, but users should treat the API keys and email content as sensitive.
This skill appears purpose-aligned and not suspicious from the provided artifacts. Install it only if you intend to send email through uSpeedo, provide credentials through a secure environment or secret mechanism, and always review the sender, recipients, subject, and final message before confirming a send.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused, the skill could send unwanted or incorrect email, but the documented workflow requires the user to approve the final sender, recipients, subject, and content.
The skill can trigger real email sends, which is a high-impact external action, but the artifact explicitly requires current-turn user confirmation before sending.
Never send email automatically. Always require an explicit user confirmation in the current turn for sender, recipients, subject, and final content.
Before authorizing a send, carefully review the sender, recipient list, subject, and final body content.
Anyone or any agent with these credentials may be able to use the associated uSpeedo email-sending capability.
The skill requires uSpeedo API credentials that can authorize actions on the user's email-sending account; this is expected for the purpose but sensitive.
ACCESSKEY_ID | Yes | uSpeedo API Basic auth (ID) | ACCESSKEY_SECRET | Yes | uSpeedo API Basic auth (Secret)
Use environment variables or a secure secret-input mechanism, prefer least-privilege or test keys, and rotate keys if they are exposed in chat or logs.
Sensitive information placed in an email body may be sent to recipients and processed by the email provider.
The artifact discloses that email content is transmitted through the external uSpeedo service; users should understand that message content leaves the local conversation.
The skill sends the user’s raw plain text or HTML. Avoid sending sensitive content or unvalidated HTML to prevent abuse or leakage.
Avoid including secrets or unnecessary personal data in email content, and prefer plain text unless HTML is required.