Truncus Email
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for sending emails through Truncus, but users should verify recipients, content, API-key scope, and the repository source before use.
Before installing, confirm the repository/source, set a least-privilege TRUNCUS_API_KEY, and treat each invocation as a real outbound email action. Review recipients, message content, attachments, tracking settings, and scheduled send times before allowing important or sensitive emails to be sent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong recipient, content, attachment, or schedule, the agent could send an unintended email using the user's Truncus account.
The skill instructs the agent to call an external email-sending endpoint, which is the stated purpose but can create irreversible outbound communications.
POST https://truncus.co/api/v1/emails/send
Use this skill only when the user has clearly requested an email send, and review recipient, subject, body, attachments, and schedule before sending important messages.
A misconfigured or over-scoped key could allow unintended email sending from the associated account or domain.
The skill requires a bearer API key to send mail through the user's Truncus account; this is expected for the integration but is still sensitive authority.
The API key is read from the `TRUNCUS_API_KEY` environment variable.
Use a least-privilege Truncus key, preferably with only the send scope unless delivery tracking is needed, and avoid exposing the key in prompts, logs, or shared environments.
Following the wrong repository URL could install content different from the reviewed artifact.
The README's manual install URL differs from the listed homepage repository path in the supplied metadata, so users should verify they are installing the intended source.
git clone https://github.com/vanmoose/truncus-openclaw-skill.git ~/.openclaw/skills/truncus-email
Prefer installing from the registry artifact or confirm the repository owner and contents before cloning manually.