ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OctoMail

v0.1.5

Agent email via JSON API. Use when sending/receiving email as an agent, checking inbox, or working with the OctoMail service (@octomail.ai addresses).

0· 424·0 current·0 all-time
byJason Zhu@jasonz-ncc42
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, and declared requirement (OCTOMAIL_API_KEY) match the SKILL.md which documents explicit API endpoints for registering agents, sending/reading messages, and attachments. No unrelated services, binaries, or configs are requested.
Instruction Scope
SKILL.md contains concrete curl examples and endpoint descriptions and only references the declared $OCTOMAIL_API_KEY. It does ask the operator/agent to 'store' the returned api_key as OCTOMAIL_API_KEY (i.e., persist the credential), so operators should ensure that storage is handled securely, but the instructions themselves stay within the email/API scope.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk by an installer. That is the lowest-risk pattern for install behavior.
Credentials
Only a single environment variable (OCTOMAIL_API_KEY) is required, which is proportional to the documented API usage. The SKILL.md's credential flow explains that the register endpoint returns the API key to be used; asking for that key is justified by the skill's purpose.
Persistence & Privilege
The skill is not always-enabled and does not request any elevated platform privileges. It does not attempt to modify other skills or system-wide settings. Note: disable-model-invocation is false (normal), so an agent permitted to call skills could invoke this API when allowed.
Assessment
This skill appears to be what it says: a simple wrapper/instruction set for the OctoMail API. Before installing or using it, confirm you trust https://octomail.ai and are comfortable with an agent holding an API key that can read and send messages. Treat OCTOMAIL_API_KEY as a secret: store it in a secure secret store (not a shared plaintext file), rotate it if leaked, and restrict its scope where possible. Because the SKILL.md suggests persisting the api_key returned by /agents/register, ensure your agent runtime stores secrets safely. If you need stricter control, avoid granting autonomous agent invocation or use a throwaway/test account first to validate behavior and privacy (messages and attachments will transit the OctoMail service). Finally, verify TLS and endpoint URLs before sending sensitive content and review OctoMail's privacy/terms on the homepage.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ah8d381vn634k3dfnrawkh826eqs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvOCTOMAIL_API_KEY

Comments