ClawEmail Admin
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: claw-admin Version: 1.0.1 The skill bundle provides an API for managing Google Workspace email accounts on `clawemail.com`. All API calls are standard `curl` commands targeting `https://clawemail.com` and require an API key (`CLAWEMAIL_API_KEY`) for administrative actions, as specified in `SKILL.md`. There is no evidence of data exfiltration, malicious execution (e.g., `curl|bash`), persistence mechanisms, obfuscation, or prompt injection attempts against the agent to perform actions beyond the stated purpose. The instructions are clear and align with the described functionality of an email administration tool.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with this API key could manage ClawEmail accounts and receive sensitive account setup information.
The skill uses an admin API key and handles account passwords/OAuth setup for Google Workspace accounts, which is expected for the purpose but high-privilege.
All admin endpoints require the header: `-H "X-API-Key: $CLAWEMAIL_API_KEY"` ... Each account comes with full Gmail, Docs, Sheets, Calendar, and Drive access plus OAuth credentials for programmatic use.
Only provide a dedicated ClawEmail API key to agents you trust, avoid logging or sharing returned passwords, and rotate the key if it may have been exposed.
A wrong prefix or misunderstood request could delete a Google Workspace account and its data.
The skill documents a destructive account deletion endpoint. It is purpose-aligned and clearly disclosed, but mistakes or unconfirmed execution could cause data loss.
## Delete Email Permanently deletes the Google Workspace account and all associated data: ```bash curl -s -X DELETE https://clawemail.com/api/emails/PREFIX \
Require explicit user confirmation, verify the exact prefix, and prefer suspend over delete when the user is unsure.
Users have less registry-provided information to verify who operates the service before trusting it with an admin API key.
The registry metadata does not provide a source repository or homepage for independent provenance review, even though the skill depends on an external admin API.
Source: unknown Homepage: none
Verify the ClawEmail service and account ownership through trusted channels before supplying an API key or using billing/signup flows.