Snail Mail
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: snail-mail Version: 1.0.2 The OpenClaw AgentSkills bundle for 'snail-mail' is benign. It provides a local, slow-channel inbox system for agent-to-operator messages, storing data in a JSON file within the `OPENCLAW_WORKSPACE`. The `SKILL.md` instructions guide the agent on when and how to use the inbox, and the `scripts/inbox.js` code implements standard file operations (read, write, atomic save) and message management. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts designed to subvert the agent's behavior beyond the skill's stated purpose. The script uses only built-in Node.js modules and includes HTML escaping for rendered output, demonstrating good security practices.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Important notes, links, and potentially sensitive event details can remain on disk and be shown again in later inbox renders.
The skill deliberately persists inbox entries locally and may fall back to the home directory if the workspace variable is absent.
Messages stored in `{workspace}/inbox/messages.json`... `OPENCLAW_WORKSPACE` — base directory for inbox storage (defaults to `$HOME`)Use it only if you want persistent local message storage; avoid placing secrets in inbox messages and periodically review or archive the inbox.