critical
suspicious.env_credential_access
- Location
- scripts/inbox.js:14
- Finding
- Environment variable access combined with network send.
BaseMail - Onchain Email for AI Agents on Base
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.potential_exfiltration
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If you provide a funded or important wallet key, the agent process can use it for signing during registration.
Why it was flagged
The skill requires access to an Ethereum wallet private key for registration. This is disclosed and central to SIWE authentication, but wallet keys are high-impact credentials.
Skill content
requires:\n bins: ["node"]\n env: ["BASEMAIL_PRIVATE_KEY"]
Recommendation
Use a dedicated wallet for BaseMail, preferably with no funds or unrelated permissions, and avoid reusing a primary wallet private key.
What this means
An enabled agent could send emails from the BaseMail identity if prompted or if it decides to use the skill.
Why it was flagged
The send script can send arbitrary recipient, subject, and body values to the BaseMail send endpoint. This is the advertised email function, but it is an external communication capability.
Skill content
body: JSON.stringify({ to, subject, body: body || '' })Recommendation
Review prompts and agent permissions carefully, and consider requiring user confirmation before sending important or sensitive emails.
What this means
Anyone who can read the token file may be able to access or send email for the BaseMail account until the token expires or is revoked.
Why it was flagged
After registration, the skill stores a bearer token under ~/.basemail/token.json for later send and inbox operations. This persistence is disclosed and file permissions are restricted, but the token is sensitive.
Skill content
fs.writeFileSync(TOKEN_FILE, JSON.stringify(tokenData, null, 2), { mode: 0o600 });Recommendation
Keep ~/.basemail private, do not sync or commit it, and delete or rotate the token if the machine or workspace is shared.
Findings (6)
critical
suspicious.env_credential_access
- Location
- scripts/register.js:25
- Finding
- Environment variable access combined with network send.
critical
suspicious.env_credential_access
- Location
- scripts/send.js:13
- Finding
- Environment variable access combined with network send.
critical
suspicious.exposed_secret_literal
- Location
- scripts/register.js:142
- Finding
- File appears to expose a hardcoded API secret or token.
warn
suspicious.potential_exfiltration
- Location
- scripts/inbox.js:44
- Finding
- Sensitive-looking file read is paired with a network send.
warn
suspicious.potential_exfiltration
- Location
- scripts/send.js:45
- Finding
- Sensitive-looking file read is paired with a network send.