Skillv1.0.0

ClawScan security

Agent Mail · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 3:59 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to use an AgentMail API to send/receive email but does not declare or request the API credentials it clearly needs and instructs storing email data on disk — an incoherence that warrants caution.
Guidance: This skill's purpose (send/receive email) reasonably requires an API key and explicit account configuration, but the package does not declare any credentials and hardcodes or references an email address. Before installing: 1) Ask the publisher how authentication works and where the API key is stored—prefer explicit environment variable names (e.g., AGENTMAIL_API_KEY, AGENTMAIL_EMAIL). 2) Ask for the AgentMail API endpoint, privacy policy, and data retention rules. 3) Confirm who can access /workspace/data/emails/ and whether stored mail is encrypted or automatically deleted. 4) If you handle sensitive email, test in a sandbox and avoid granting platform-wide credentials. 5) If the publisher cannot explain the missing credentials or justify the hardcoded mailbox, do not install.

Review Dimensions

Purpose & Capability: concernThe name and description match an email-sending/receiving skill, but SKILL.md explicitly references an 'API Key: 已配置' and a specific mailbox (fhbillwer@agentmail.to) while the registry metadata declares no required environment variables or credentials. A mail integration normally requires at least an API key and account configuration; their absence from the declared requirements is inconsistent.
Instruction Scope: concernRuntime instructions are vague about how the AgentMail API is accessed and instruct the agent to persist email data at /workspace/data/emails/. The skill may send user email content to an external service and will write potentially sensitive messages to local workspace storage; the instructions do not document endpoints, auth mechanics, retention, or who can access those stored emails.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so there is no installer downloading or executable being placed on disk. That reduces supply-chain risk compared to arbitrary downloads.
Credentials: concernThe SKILL.md implies an API key and a configured email account but the skill declares no required env vars or primary credential. That mismatch is disproportionate: a mail-sending skill should explicitly declare the credentials it needs (e.g., AGENTMAIL_API_KEY, AGENTMAIL_EMAIL) and not rely on undocumented, implicit credentials.
Persistence & Privilege: concernAlthough the skill is not marked always:true and does not request elevated platform privileges, it directs storage of email data to /workspace/data/emails/, creating persistent storage of sensitive information without documenting retention, access controls, or encryption. The skill does not declare that config path in metadata, so this is an undeclared persistent footprint.