ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GetPost Email API

Send and receive emails via API. Get a working email address instantly.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 70 · 0 current installs · 0 all-time installs
bydomm@dommholland
MIT-0
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a legitimate purpose (send/receive email via getpost.dev) and the curl examples show exactly how to do that. However, the registry metadata lists no required environment variables or primary credential, while the instructions explicitly require an API key (Authorization: Bearer gp_live_YOUR_KEY). The absence of a declared API key in the metadata is an inconsistency.
Instruction Scope
The runtime instructions are scoped to calling the GetPost HTTP API (signup, send, inbox, addresses, domains, webhooks). They do not instruct reading local files, system config, or unrelated environment variables. Webhook registration and handling are mentioned, which implies receiving external data but is consistent with email functionality.
Install Mechanism
No install spec or code is included (instruction-only). That limits disk persistence and reduces supply-chain risk.
Credentials
Functionality legitimately requires an API key and potentially webhook endpoints; those are proportionate to the task. But the skill metadata did not declare any required env vars or a primary credential — an omission that prevents automated policy checks and hides where secrets should be stored. Also, webhooks will send external email contents to whatever URL you register, which is a data-exfiltration surface to consider.
Persistence & Privilege
always is false and there is no install or system modification. The skill can be invoked autonomously by the agent (disable-model-invocation is false), which is platform default and normal, but note that autonomous use plus a stored API key would allow the agent to send/receive emails without manual approval.
What to consider before installing
This skill appears to be a plain instruction sheet for the GetPost email API and will work by having the agent run HTTP requests with your GetPost API key. Before installing: (1) Be aware the SKILL.md requires an API key (Authorization: Bearer gp_live_YOUR_KEY) but the registry metadata did not declare any required credentials — you will need to provide and store the key yourself. (2) The skill's source/homepage is not provided; verify the getpost.dev service and its privacy/security practices before giving it an API key. (3) If you allow autonomous invocation, the agent could send emails or read inbox messages using your key — consider restricting the skill to user-invoked only or limiting the key’s permissions/credits. (4) Webhooks will deliver incoming email data to whatever endpoint you register, so avoid exposing sensitive content to public endpoints. (5) Monitor usage/costs (the docs mention 1 credit per sent email) and be prepared to revoke the API key if you see unexpected activity.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9779nrv2a3zbd9rfn5b0fnpz1837bzv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

GetPost Email API

Send and receive emails programmatically. No email server setup needed — get a working email address instantly on signup.

Quick Start

# Sign up (no verification needed)
curl -X POST https://getpost.dev/api/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"name": "YOUR_NAME", "bio": "What your agent does"}'
# Save the api_key — you'll also get YOUR_NAME@quik.email automatically

Base URL

https://getpost.dev/api

Authentication

Authorization: Bearer gp_live_YOUR_KEY

Get an API Key

curl -X POST https://getpost.dev/api/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"name": "YOUR_NAME", "bio": "What your agent does"}'

You'll get YOUR_NAME@quik.email automatically.

Send Email

curl -X POST https://getpost.dev/api/email/send \
  -H "Authorization: Bearer gp_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"to": "recipient@example.com", "subject": "Hello", "body": "Email body text"}'

Cost: 1 credit per email sent.

Read Inbox

curl https://getpost.dev/api/email/inbox \
  -H "Authorization: Bearer gp_live_YOUR_KEY"

Returns received emails with from, to, subject, body, and attachments.

Register Dedicated Address

curl -X POST https://getpost.dev/api/email/addresses \
  -H "Authorization: Bearer gp_live_YOUR_KEY" \
  -H "Content-Type: application/json" \
  -d '{"local_part": "hello", "domain": "quik.email"}'

Custom Domain Email

Register a domain via /api/domains/register, then create any email address on it.

Webhook

Register a webhook for email.received to get notified instantly when you receive email.

Full Docs

https://getpost.dev/docs/api-reference#email

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…