Truncus Email
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: truncus-email Version: 1.0.0 The truncus-email skill is a legitimate integration for sending transactional emails via the Truncus API (truncus.co). It includes well-defined safety rules for the AI agent, such as requiring explicit user consent, confirming recipients, and handling rate limits gracefully. The provided examples (send_alert.md, send_basic_email.md) correctly demonstrate API usage via curl without any signs of malicious intent, data exfiltration, or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong recipient, content, attachment, or schedule, the agent could send an unintended email using the user's Truncus account.
The skill instructs the agent to call an external email-sending endpoint, which is the stated purpose but can create irreversible outbound communications.
POST https://truncus.co/api/v1/emails/send
Use this skill only when the user has clearly requested an email send, and review recipient, subject, body, attachments, and schedule before sending important messages.
A misconfigured or over-scoped key could allow unintended email sending from the associated account or domain.
The skill requires a bearer API key to send mail through the user's Truncus account; this is expected for the integration but is still sensitive authority.
The API key is read from the `TRUNCUS_API_KEY` environment variable.
Use a least-privilege Truncus key, preferably with only the send scope unless delivery tracking is needed, and avoid exposing the key in prompts, logs, or shared environments.
Following the wrong repository URL could install content different from the reviewed artifact.
The README's manual install URL differs from the listed homepage repository path in the supplied metadata, so users should verify they are installing the intended source.
git clone https://github.com/vanmoose/truncus-openclaw-skill.git ~/.openclaw/skills/truncus-email
Prefer installing from the registry artifact or confirm the repository owner and contents before cloning manually.