Snail Mail
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: snailmail Version: 1.0.0 The `scripts/inbox.js` file contains a vulnerability where user-provided message content is not sanitized when rendered in Markdown format by the `renderMD` function. This could lead to Markdown injection (e.g., XSS in a vulnerable chat client or potential prompt injection if the agent re-interprets the Markdown output) if an attacker can control the input to the `add` command. While the `SKILL.md` instructions are generally benign and even advise the agent not to add commentary to the output, the lack of sanitization for Markdown output is a significant flaw, though not indicative of intentional malicious behavior like data exfiltration or persistence.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may notify the operator about urgent inbox items without a direct request, though the behavior is disclosed and limited to inbox content.
The skill authorizes autonomous checks and proactive surfacing of urgent inbox items. This fits the stated inbox purpose, but users should be aware it can initiate non-chat responses during heartbeats.
During heartbeats, check for unread urgent/important items: node {skill}/scripts/inbox.js list unread --json ... If urgent items exist, surface them proactively.Install only if you want this slow-channel notification behavior, and keep the criteria for urgent messages narrow.
A user cannot review the entire helper script from the provided displayed source alone.
The helper script is the code the skill instructs the agent to run, but the displayed artifact text is marked as truncated. The visible code is coherent and static scan signals are clean, but the human-readable source shown here is incomplete.
"truncated": true
Before installation, view the complete scripts/inbox.js from the registry or package source, especially because the skill relies on that helper for file writes.
The skill may fail or behave differently if Node is unavailable in the environment.
The skill requires Node to run its helper script, while the registry requirements list no required binaries. This appears to be an under-declared runtime dependency rather than hidden behavior.
node {skill}/scripts/inbox.js add "Title" "Description of what happened"Ensure Node is available before using the skill, or ask the publisher to declare Node as a required binary.
Inbox contents can persist across sessions and may be reused or displayed later, including any sensitive details the agent records.
The skill intentionally creates persistent local memory for operator messages. This is necessary for an inbox, but stored messages may contain sensitive context or untrusted text that later gets rendered back into chat.
Messages stored in `{workspace}/inbox/messages.json`.Avoid storing secrets in inbox messages, periodically review or clean the inbox file, and treat rendered message text as informational rather than authoritative instructions.
Local inbox data may be stored outside the intended workspace in some environments.
The storage path is scoped to an inbox directory, but if OPENCLAW_WORKSPACE is not set the script falls back to creating the inbox under the user's home directory.
const WORKSPACE = process.env.OPENCLAW_WORKSPACE || process.env.HOME || '.'; const INBOX_DIR = path.join(WORKSPACE, 'inbox');
Set OPENCLAW_WORKSPACE explicitly if you want the inbox confined to a particular workspace path.