GetPost Email API
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only email API skill, but users should notice it can send emails, read inbox content, and create persistent service settings using a GetPost API key.
This skill appears benign and purpose-aligned. Before installing or using it, understand that it uses the GetPost service, requires a bearer API key, can send real emails that cost credits, can read inbox data including message bodies and attachments, and can create persistent addresses, domains, or webhooks. Confirm sensitive actions before allowing an agent to perform them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, an agent could send unintended messages or consume credits from the user's GetPost account.
The skill documents a raw API call that sends external email and spends account credits. This is purpose-aligned, but users should confirm recipients and content before use.
curl -X POST https://getpost.dev/api/email/send ... -d '{"to": "recipient@example.com", "subject": "Hello", "body": "Email body text"}'
Cost: 1 credit per email sent.Only provide the API key when you intend to use GetPost, and require explicit confirmation for recipients, subject, body, and any paid send action.
Anyone or any agent with the key may be able to access the GetPost account's email capabilities, depending on the service's permissions.
The skill requires a bearer API key for GetPost account actions. This is expected for an email API, but the registry metadata does not declare a primary credential.
Authorization: Bearer gp_live_YOUR_KEY
Store the GetPost API key securely, avoid pasting it into unrelated chats or logs, and rotate/revoke it if exposed.
Received-email notifications, and potentially related email data, could be sent to a webhook endpoint the user configures.
The skill supports webhook delivery for received-email events. Webhooks are purpose-aligned, but the artifact does not describe payload contents, authentication, or endpoint trust requirements.
Register a webhook for `email.received` to get notified instantly when you receive email.
Use only trusted HTTPS webhook endpoints, protect any webhook secrets, and avoid forwarding sensitive inbox data to untrusted services.