Agentlair Email
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent email API skill, but installing it lets an agent create AgentLair email identities and send or read real emails through a third-party service.
Before installing, make sure you are comfortable letting your agent use AgentLair to claim email addresses and send/read real email. Keep the API key private, review outgoing messages before they are sent, and avoid using the service for highly sensitive email unless you have verified the provider's privacy and retention practices.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill can send real emails to third parties.
The skill documents a real email-send API call. This is central to the skill's purpose, but it can create irreversible external communications if used without reviewing the recipient and message.
curl -s -X POST https://agentlair.dev/v1/email/send ... "to": ["recipient@example.com"], "subject": "Hello from my agent", "text": "Plain text message body."
Use it only for explicit email tasks, and confirm recipient, subject, and body before sending important or sensitive messages.
Anyone with the API key may be able to send or read email for the claimed agent addresses.
The API key grants authority over claimed AgentLair email identities and mailbox actions. This is expected for the service, but it is a credential with real communication privileges.
Auth: `Authorization: Bearer <YOUR_API_KEY>` ... Store the key as `AGENTLAIR_API_KEY` ... You can claim multiple addresses per API key.
Store the API key securely, do not expose it in logs or shared prompts, and rotate or revoke it if it may have been disclosed.
Sensitive email contents or metadata may be processed by the external provider infrastructure.
Email bodies, recipients, inbox metadata, and message reads are handled through AgentLair and Amazon SES. This is expected for an email API, but it means email data crosses external service boundaries.
Base URL: `https://agentlair.dev` ... Emails delivered via Amazon SES (eu-west-1) with DKIM, SPF, and DMARC authentication
Avoid sending secrets unless you are comfortable with the provider, and review the provider's retention and privacy terms for sensitive use cases.
A user might assume stronger privacy guarantees than the artifact actually documents.
The skill makes a broad privacy assurance without detailing retention, deletion, or how inbox/outbox retrieval is handled. This is not evidence of abuse, but users should not over-rely on an unexplained privacy claim.
No data stored beyond delivery — privacy-first design
Treat email content as handled by a third-party service unless retention and deletion guarantees are confirmed separately.