BaseMail - Onchain Email for AI Agents on Base
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: basemail Version: 1.8.0 The BaseMail skill is classified as benign due to its transparent operations and robust security measures. Key indicators include explicit path validation for private key files (preventing path traversal and arbitrary file reads), strong cryptographic practices (AES-256-GCM with scryptSync) for managed wallets, strict password policies, and the secure handling of mnemonics (displayed once, not saved to disk, and legacy files securely removed). The `SKILL.md` documentation is highly transparent, detailing security guidelines and explicitly stating that the skill only signs authentication messages and never sends funds. Audit logging is also implemented with sensitive data masking. All network communication is directed to the stated `api.basemail.ai` endpoint, and there is no evidence of data exfiltration, malicious execution, or prompt injection against the AI agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide a funded or important wallet key, the agent process can use it for signing during registration.
The skill requires access to an Ethereum wallet private key for registration. This is disclosed and central to SIWE authentication, but wallet keys are high-impact credentials.
requires:\n bins: ["node"]\n env: ["BASEMAIL_PRIVATE_KEY"]
Use a dedicated wallet for BaseMail, preferably with no funds or unrelated permissions, and avoid reusing a primary wallet private key.
An enabled agent could send emails from the BaseMail identity if prompted or if it decides to use the skill.
The send script can send arbitrary recipient, subject, and body values to the BaseMail send endpoint. This is the advertised email function, but it is an external communication capability.
body: JSON.stringify({ to, subject, body: body || '' })Review prompts and agent permissions carefully, and consider requiring user confirmation before sending important or sensitive emails.
Anyone who can read the token file may be able to access or send email for the BaseMail account until the token expires or is revoked.
After registration, the skill stores a bearer token under ~/.basemail/token.json for later send and inbox operations. This persistence is disclosed and file permissions are restricted, but the token is sensitive.
fs.writeFileSync(TOKEN_FILE, JSON.stringify(tokenData, null, 2), { mode: 0o600 });Keep ~/.basemail private, do not sync or commit it, and delete or rotate the token if the machine or workspace is shared.