Agentic Letters
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it can immediately mail paid, real-world letters and handle personal documents and addresses without an explicit final approval step.
Before installing, be sure you trust agentic-letters.com with letter PDFs, recipient addresses, and the API key. Treat sending as irreversible: have the agent show you the final letter, address, and credit use, then confirm explicitly before it runs the send command.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could mail an incorrect or unreviewed document, send it to the wrong address, or consume a paid credit before the user has verified the final letter.
The skill documents immediate sending for paid, real-world mail including cancellation/legal-style workflows, but does not require an explicit final approval step before the irreversible send action.
"Generate a formal cancellation letter as PDF, send it." / "**1 credit = 1 letter** — check credits before sending"
Require the agent to show the final PDF/content, recipient address, and credit impact, then obtain explicit user confirmation before running the send command.
Anyone who obtains the key may be able to use credits or query letter-related API data associated with that key.
The tool uses a bearer API key to authorize requests to the letter-sending provider; this is expected for the service but controls paid actions and account-like access.
"Authorization": f"Bearer {self._api_key}"Store the API key only in the intended secrets location or environment variable, restrict local file permissions, and rotate the key if it is exposed.
Private letter contents and recipient personal information are shared with agentic-letters.com for printing and mailing.
The selected PDF and recipient address are packaged for the provider API; this is purpose-aligned, but it transmits document contents and personal address data outside the local environment.
"pdf": pdf_b64, "recipient": { "name": name, "street": street, "zip": zip_code, "city": city, "country": country }Use the skill only for documents and addresses you are comfortable sending to that provider, and avoid including unnecessary sensitive information.
Recipient names, addresses, labels, and letter status can remain on disk and may be visible to future agent runs or local users with access to the workspace.
The skill discloses automatic local persistence of sent-letter records, including recipient details, for later status checks.
"Every sent letter is tracked locally in `{baseDir}/records/`" and contains "recipient"Periodically delete old records if they are no longer needed and avoid using labels that reveal sensitive context.