ClawHub

Robotomail

v1.0.4

Give an AI agent a real inbox and outbound email using Robotomail. Use this skill when the user asks you to send email, check inbox, read messages, reply to...

1· 152·0 current·0 all-time
by@johnjoubert
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the declared requirements: the skill provides instructions for using the Robotomail HTTP API and declares ROBOTOMAIL_API_KEY as the primary credential. There are no unrelated credentials or binaries required.
Instruction Scope
The SKILL.md stays within email-related operations (sending, reading, webhooks, SSE, domains, attachments). Two small notes: (1) the docs explicitly show a POST /v1/signup flow that can create an account and return an API key — the skill declares an API key requirement but also documents how to obtain one programmatically, which means an agent could create an account on behalf of a user if permitted; (2) webhook verification examples reference a WEBHOOK_SECRET environment variable in sample code (this is an implementation example for integrators, not a required env var for the skill).
Install Mechanism
This is instruction-only with no install spec or downloadable code. That's the lowest-risk model and consistent with the described usage. The SKILL.md says it 'Requires curl (or any HTTP client)' but the registry metadata lists no required binaries — a minor documentation mismatch, not a security issue by itself.
Credentials
Only one required env var (ROBOTOMAIL_API_KEY) is declared, which is proportional for an API client. The docs do mention other secret names (e.g., WEBHOOK_SECRET) in webhook verification examples — these are typical for webhook consumers but are optional and not declared as required by the skill. Also note: because the API exposes a signup endpoint that returns an API key, an agent with network access and without a pre-provided API key could programmatically create an account and obtain credentials; consider whether you want an autonomous agent to be able to do that.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-level privileges. It does not modify other skills or agent-wide config. Autonomous invocation remains the platform default but is not combined with unusual privileges here.
Assessment
This skill is a documentation-only wrapper around the Robotomail HTTP API and appears coherent. Before enabling it: (1) store ROBOTOMAIL_API_KEY securely and only grant it to agents you trust; (2) be aware the docs show a signup API that can return a new API key — if you do not want an agent to create accounts/keys autonomously, avoid giving the agent permission to call signup or restrict the skill usage; (3) webhook examples mention a WEBHOOK_SECRET used by your webhook receiver — keep that secret out of logs and environment variables you don't control; (4) the SKILL.md mentions curl even though no binaries are declared — ensure your runtime has an HTTP client available. If you want extra assurance, verify robotomail.com independently before using in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97826j53s9ajszt16nc8101sn84275n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvROBOTOMAIL_API_KEY
Primary envROBOTOMAIL_API_KEY

Comments