iClawd Email

This skill appears to do what it says (give an agent an @iclawd.email inbox) but there are important mismatches and risks to consider before installing: - The SKILL.md expects an API key and directs saving it to ~/.iclawd/config.md, yet the registry metadata declares no required credentials or config paths. Ask the publisher to clarify how credentials are issued, stored, rotated, and what exact permissions the API key has. Do not assume the key is low-privilege. - Webhooks can send inbound emails to any URL you configure. Only allow webhooks to endpoints you control and trust; otherwise incoming mail (possibly containing sensitive content) could be forwarded externally. - The skill permits automated sending (including signups and replies). Decide whether the agent should be allowed to send external emails autonomously or require owner approval for any external recipient or attachments. - Verify the domain and service legitimacy (https://iclawd.email). Because the skill's source/homepage are 'unknown' or not verified in the registry metadata, confirm the provider identity and review privacy/retention policies before handing over real messages. - Ask the author to update the registry metadata to list the API key as a required credential and to declare the config path(s). Prefer skills that declare required env vars/config paths in metadata so the platform can surface permission prompts to users. If you proceed, restrict the agent: require explicit owner confirmation for webhook creation, external sends beyond occasional signups, and any operation that would store or forward owner-sensitive content.