Truncus Email
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong recipient, content, attachment, or schedule, the agent could send an unintended email using the user's Truncus account.
The skill instructs the agent to call an external email-sending endpoint, which is the stated purpose but can create irreversible outbound communications.
POST https://truncus.co/api/v1/emails/send
Use this skill only when the user has clearly requested an email send, and review recipient, subject, body, attachments, and schedule before sending important messages.
A misconfigured or over-scoped key could allow unintended email sending from the associated account or domain.
The skill requires a bearer API key to send mail through the user's Truncus account; this is expected for the integration but is still sensitive authority.
The API key is read from the `TRUNCUS_API_KEY` environment variable.
Use a least-privilege Truncus key, preferably with only the send scope unless delivery tracking is needed, and avoid exposing the key in prompts, logs, or shared environments.
Following the wrong repository URL could install content different from the reviewed artifact.
The README's manual install URL differs from the listed homepage repository path in the supplied metadata, so users should verify they are installing the intended source.
git clone https://github.com/vanmoose/truncus-openclaw-skill.git ~/.openclaw/skills/truncus-email
Prefer installing from the registry artifact or confirm the repository owner and contents before cloning manually.