Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Xobni Email
v1.0.1Email infrastructure for AI agents via Xobni.ai. Provides real email addresses (@xobni.ai) with REST API and MCP server access. Use when an AI agent needs to send/receive email, search inbox, manage attachments, or set up webhooks for email notifications.
⭐ 0· 911·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, SKILL.md and references/api.md consistently describe an agent-scoped email service (send/receive/search/webhooks). That functionality justifies use of an API key and webhook configuration. However, the registry metadata declares no required environment variables or primary credential even though every example uses an API key (Authorization: Bearer). The omission of a declared primary credential is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to call REST endpoints and MCP server for email operations and shows webhook setup. It does not instruct reading unrelated local files, scanning system state, or exfiltrating arbitrary data. Examples reference an environment variable ($XOBNI_KEY) and suggest creating a scoped API key — again, this is expected for the service but should be declared in metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — low install risk. Nothing is downloaded or written to disk by the skill package itself.
Credentials
The service legitimately requires an agent-scoped API key; that is proportionate. The concern is metadata claims 'no required env vars' and 'primary credential: none' while examples use $XOBNI_KEY/Authorization headers. This mismatch could be simple metadata omission, but it means the skill packaging does not clearly declare the secret it needs — a transparency and governance issue. Also note webhooks will deliver snippets and webhook secrets are returned once; users must protect webhook endpoints.
Persistence & Privilege
The skill is not always-enabled and does not request system config paths or modify other skills. It appears not to require elevated persistence or cross-skill privileges.
What to consider before installing
This skill appears to implement an email API and is coherent with that purpose, but metadata failed to declare the primary API credential. Before installing: (1) verify the service domain (https://xobni.ai) and that you trust the operator, (2) expect to provide an agent-scoped API key (check that the registry entry is updated to declare something like XOBNI_KEY or a primaryEnv), (3) only give a scoped key limited to the specific agent and rotate/revoke keys when done, (4) if you configure webhooks, ensure your endpoint verifies X-Xobni-Signature HMAC and only accepts deliveries from trusted IPs, (5) confirm attachment size/limits and privacy implications of sending email content to a third-party service. The omission of declared credentials is likely an oversight but merits caution; require the publisher to correct metadata before trusting automated/long-running usage.Like a lobster shell, security has layers — review code before you run it.
latestvk97eq23w3g1c3epbw6vver65ws811xah
License
MIT-0
Free to use, modify, and redistribute. No attribution required.