Skillv1.0.3

ClawScan security

AgentMail MCP CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 27, 2026, 12:03 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are internally consistent with an email-management CLI: it needs node, an agentmail binary (installed from an npm package), and an AgentMail API key — all of which are appropriate for the described purpose.
Guidance: This skill appears coherent for managing AgentMail accounts, but before installing: 1) Verify the npm package 'openclaw-agentmail-cli' and its publisher on the npm registry and inspect the GitHub repository to ensure it matches expectations. 2) Limit the AGENTMAIL_API_KEY scope and use an ephemeral or low-privilege key if possible. 3) Be aware the skill (and the agent using it) will have access to full email contents and attachments; avoid granting keys that expose unrelated accounts or data. 4) If you want to reduce risk, run the CLI in an isolated environment/container and avoid giving the agent autonomous access to sensitive inboxes until you trust the package. 5) If you need higher assurance, request the package's signed releases or a reproducible build from the maintainer.

Review Dimensions

Purpose & Capability: okThe name/description (manage AgentMail inboxes, send/receive/reply, attachments) matches the declared requirements: a node-based CLI 'agentmail' and an AGENTMAIL_API_KEY. Asking for an API key and the CLI binary is proportionate to the skill's stated purpose.
Instruction Scope: okSKILL.md contains only CLI usage instructions for the agentmail tool (inboxes, threads, messages, attachments). It does not instruct the agent to read unrelated files, look up unrelated credentials, or send data to endpoints beyond AgentMail (docs/homepage point to agentmail.to). Note: the skill will access email contents and attachments by design — that is expected but has privacy implications.
Install Mechanism: noteInstall uses an npm package (openclaw-agentmail-cli) which is a common and expected distribution method for a Node CLI. npm installs are moderate risk compared with curated package managers because packages can contain arbitrary code; verify the package's publisher and contents before installing in sensitive environments.
Credentials: okOnly the AGENTMAIL_API_KEY is required and declared as the primary credential. That single API key is appropriate for interacting with the AgentMail API and is proportionate to the skill's capabilities.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills' config, and declares no system config paths. It can be invoked autonomously (platform default), which increases blast radius but is not unusual for skills and is not by itself a coherence problem.