Skillv1.6.5

ClawScan security

Jmail World - Search Epstein Files, E-Mails & Messages · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 6, 2026, 10:57 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, requirements, and instructions align with its stated purpose (searching and querying jmail.world Parquet/APIs); it performs network fetches and local DuckDB queries as expected and requests no credentials.
Guidance: This skill appears coherent with its purpose, but review and accept these points before installing: - Network & storage: it downloads Parquet/NDJSON and photo/document files from data.jmail.world and caches them under /tmp/jmail-cache. Expect potentially large downloads and disk usage. - Sensitive content & legality: the datasets include personal communications and images; ensure you have a lawful and ethical reason to access and store this material. - Safety of scripts: the included shell scripts are readable and perform input sanitization and validation, but they do interpolate sanitized values into SQL strings—run them in an isolated environment (container or VM) if you are unsure. - Authenticity: the SKILL.md references jmail.world; if you need higher assurance, verify the remote domain/URLs independently (open the site directly) and confirm the dataset origin before fetching large files. - Dependencies: the scripts require duckdb and curl (and optional jq/python3 for URL encoding). Install these from trusted package sources. If you are comfortable with these tradeoffs and the provenance of jmail.world, the skill is consistent with its claims; otherwise run it in a sandbox or decline installation.

Review Dimensions

Purpose & Capability: okThe name/description match the actual behavior: scripts query https://jmail.world API and https://data.jmail.world/v1/ Parquet files and run DuckDB. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteRuntime instructions and included scripts make HTTP requests to jmail.world and data.jmail.world, cache Parquet files under /tmp/jmail-cache, and run DuckDB queries. Inputs are sanitized and validated in the scripts, but user-supplied text is interpolated into SQL strings (mitigated by a whitelist sanitizer). The scripts can download large datasets and photos (sensitive personal data) — this is expected for the stated purpose but has privacy/storage implications.
Install Mechanism: okNo install spec; the skill is instruction-only plus included shell scripts. It checks for a local duckdb binary and instructs the user to install it manually. No remote code downloads or installers beyond fetching public Parquet/NDJSON files from data.jmail.world.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. Network access to jmail.world/data.jmail.world is required and proportionate to the stated data-retrieval purpose.
Persistence & Privilege: okalways is false and the skill does not request permanent platform-level privileges. It writes cached files to /tmp/jmail-cache (its own working cache) but does not attempt to modify other skills or global agent settings.