Postmark
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Postmark integration, but installing it means trusting the ClawLink plugin and granting delegated access to Postmark email data and settings.
Install this only if you trust ClawLink and the ClawHub plugin source. Connect a least-privileged Postmark account where possible, review tool descriptions and previews before approving changes, and revoke the ClawLink/Postmark connection when you no longer need it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installed plugin, not this instruction-only skill, will provide the runtime tools that access ClawLink and Postmark.
The skill asks the user to install an external plugin that is not included in the reviewed artifact set. This is disclosed and central to the integration, but it creates a separate trust boundary.
Install the verified ClawLink plugin: `openclaw plugins install clawhub:clawlink-plugin`
Install the plugin only from the expected ClawHub source and review ClawLink's verification/source information if this account contains sensitive email data.
ClawLink-connected tools may be able to read transactional email activity and, depending on granted permissions, change Postmark resources.
The workflow grants ClawLink delegated access to the user's Postmark account and credential flow. This is expected for the stated integration, but it is sensitive account authority.
Powered by ClawLink ... handles hosted connection flows and credentials so you don't need to configure Postmark API access yourself.
Use the least-privileged Postmark connection available, avoid pasting raw credentials into chat, and revoke the ClawLink/Postmark connection when no longer needed.
A mistaken confirmed action could alter templates, server settings, or delivery workflows for transactional email.
The skill can reach write-capable Postmark operations that may affect business email behavior. The artifact includes appropriate preview and confirmation safeguards, so this is a purpose-aligned note rather than a concern.
Manage templates or server settings only after confirmation ... Confirm before changing transactional email configuration
Review previews carefully before approving any write, bulk, destructive, or external-facing Postmark action.
Transactional email metadata, message activity, and tool requests may pass through ClawLink's integration layer.
The actual tool schemas and calls are brokered dynamically through ClawLink rather than being statically present in this skill. This is disclosed and purpose-aligned, but users should understand that Postmark data and tool actions depend on the external ClawLink gateway.
ClawLink provides tools dynamically based on what the user has connected. You do not need to know tool names or schemas in advance.
Before using sensitive data, inspect returned tool descriptions and previews, and proceed only if you trust ClawLink's data handling for the connected Postmark account.