ClawEmail Admin
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only ClawEmail admin skill, but it uses an API key to create, manage, and delete Google Workspace accounts, so it should be treated as sensitive.
Install or use this skill only if you trust ClawEmail and intend to let the agent administer @clawemail.com accounts. Keep the API key and generated credentials secret, and confirm any suspend or delete action manually before it is run.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could permanently delete a ClawEmail Google Workspace account and its associated data.
The skill includes a documented destructive API operation. It is aligned with the admin purpose and clearly disclosed, but a mistaken prefix or unreviewed invocation could delete an account and its data.
## Delete Email Permanently deletes the Google Workspace account and all associated data: curl -s -X DELETE https://clawemail.com/api/emails/PREFIX
Require clear user confirmation before suspend/delete actions, verify the exact prefix, and avoid giving this skill access unless account administration is intended.
Anyone or any agent with the API key may be able to manage the associated ClawEmail accounts.
The skill requires an API key that authorizes account administration. This is expected for the service, but it is a privileged credential.
All admin endpoints require the header: `-H "X-API-Key: $CLAWEMAIL_API_KEY"`
Store the API key only in a trusted secret store, do not paste it into chat, rotate it if exposed, and use the least-privileged key available.
The generated password and OAuth credentials can grant programmatic access to the new Workspace account.
The created accounts receive broad Google Workspace capabilities and OAuth credentials. This is central to the stated purpose, but the resulting credentials are sensitive.
Each account comes with full Gmail, Docs, Sheets, Calendar, and Drive access plus OAuth credentials for programmatic use.
Save generated credentials securely, limit who can view them, and revoke or rotate access when the account is no longer needed.
Users have less information for verifying who maintains the skill or service before granting it an API key.
The skill has limited provenance information. There is no installable code in the artifacts, but users are still trusting the referenced external service with admin operations.
Source: unknown Homepage: none
Verify the ClawEmail service and skill owner through trusted channels before using a real API key.