Skillv1.0.0

ClawScan security

Local Mail Server · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 9:20 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The instructions and requirements match the stated purpose (building a local Stalwart-based mail server using Brevo and a VPS relay); nothing in the SKILL.md asks for unrelated credentials or to perform actions outside that scope.
Guidance: This skill is instruction-only and appears coherent for building a local Stalwart mail server with a VPS relay and Brevo. Before following the guide: (1) verify downloaded release archives (checksum/signature) from the official Stalwart GitHub releases; (2) do not store SMTP/API keys or private DKIM keys in world-readable files—use appropriate file permissions and secrets storage; (3) avoid disabling TLS verification in production (the Nextcloud step weakens security); (4) secure the VPS (firewall rules, fail2ban, up-to-date OS) and restrict exposed ports; (5) confirm Cloudflare and Brevo DNS/SPF/DKIM/DMARC settings match your domain provider and privacy policy; (6) test in a controlled environment before deploying to production. If you need the skill to perform actions automatically, ensure you supply credentials and keys only through secure means and verify the agent's behavior.

Review Dimensions

Purpose & Capability: okThe name/description (local mail server using Stalwart + Brevo + VPS relay) aligns with the instructions: installing Stalwart, configuring Postfix/OpenDKIM on a VPS, Cloudflare DNS, and Tailscale. Required services (Brevo, Cloudflare, Tailscale, VPS) are expected for this architecture.
Instruction Scope: noteSKILL.md stays on-topic (installation and configuration steps for Stalwart, Postfix, OpenDKIM, DNS, Tailscale, and Nextcloud integration). A few potentially risky but explainable implementation choices are present: it shows plaintext credential placement in config files, suggests disabling TLS peer verification for Nextcloud, and does not instruct verification of downloaded binaries. These are configuration/security cautions rather than scope creep.
Install Mechanism: noteNo install spec in the skill bundle (instruction-only). The guide uses curl to download official GitHub release tarballs for Stalwart, which is expected; however the instructions do not include checksum or signature verification for the downloaded archive—standard but worth noting as a small supply-chain hygiene omission.
Credentials: okThe skill does not request environment variables or secrets in the registry metadata. The instructions do require operational credentials (Brevo SMTP key, Cloudflare DNS control, VPS/root access, Tailscale account) which are proportional and necessary for the described setup. The skill does show examples that embed sensitive values in config files—users should avoid leaving secrets in world-readable files.
Persistence & Privilege: okalways is false and the skill is invocable by the user only; no install script or persistent agent modifications are present. The skill does not request elevated platform privileges beyond the normal operational needs of installing and configuring mail server software on the user's machines.