ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AgentMail (Enhanced)

v1.1.0

Programmatic email for AI agents via AgentMail API. Create inboxes, send/receive messages, manage threads, webhooks, pods, and custom domains. Use when you need agent email identity, email-based workflows, or real-time email processing.

2· 1.7k·1 current·1 all-time
by@kesslerio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and reference files consistently describe an email API client (AgentMail) which matches the skill name and description. However the registry metadata lists no required env vars or primary credential while SKILL.md explicitly says it requires AGENTMAIL_API_KEY. The instructions also reference a ./scripts/agentmail-cli script that is not present in the shipped file manifest — this mismatch between claimed capabilities and declared requirements/install footprint is concerning.
Instruction Scope
The runtime instructions direct the agent to perform normal email tasks (create inboxes, send/receive, webhook handling, attachment processing). They also reference additional secrets and environment variables in examples (GITHUB_TOKEN, webhook_secret, ngrok authtoken) and show code that reads files (/tmp, attachments) and posts to external endpoints (webhook URLs). Those actions are expected for an email/webhook integration but the presence of undeclared env vars and missing CLI scripts widens the scope beyond what's declared. Also a prompt-injection pattern ('ignore-previous-instructions') was found in SKILL.md, which could attempt to manipulate behavior or evaluations.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute on install, which is lower risk. The docs instruct installing the agentmail Python package via pip (a normal dependency). There are no downloads from arbitrary URLs or extract steps present in the skill bundle.
!
Credentials
The registry metadata claims no required env vars, but SKILL.md repeatedly requires AGENTMAIL_API_KEY. Examples and guides also reference other sensitive env vars (GITHUB_TOKEN, webhook_secret, ngrok auth token) without declaring them. That mismatch makes it unclear which credentials are actually needed and increases the chance of accidental exposure of unrelated secrets if the user follows examples verbatim.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not include install-time scripts that modify agent/system configuration. Autonomous invocation remains allowed (default), which is expected for skills; nothing here elevates persistence or privilege beyond normal skill behavior.
Scan Findings in Context
[ignore-previous-instructions] unexpected: A prompt-injection pattern was detected in SKILL.md. That token is not expected for an API integration guide; it may be an attempt to influence evaluation or runtime instruction-following. Treat as suspicious and verify the SKILL.md content before trusting it.
What to consider before installing
This skill appears to implement a normal email API integration, but there are multiple inconsistencies and missing pieces. Before installing: 1) Verify the skill's origin — source is unknown; prefer skills from trusted publishers. 2) Expect to supply AGENTMAIL_API_KEY (SKILL.md) even though the registry metadata omits it; do not reuse high-privilege or unrelated credentials. 3) Confirm whether the referenced CLI script (./scripts/agentmail-cli) actually exists from the publisher — it's not in the provided files. 4) Inspect the 'agentmail' PyPI/GitHub package independently (pip package, repo, release tags) before installing. 5) Treat webhook endpoints and webhook_secret carefully: host webhook receivers in a sandbox, verify signatures as recommended, and do not expose other environment secrets to webhook code. 6) Do not paste unrelated tokens into examples (e.g., GITHUB_TOKEN) — modify examples to use least-privilege credentials. 7) If you proceed, test in an isolated environment, review logs and network activity, and rotate any API keys used if you stop using the skill. If you want, provide the agentmail package homepage or the skill publisher identity and I can re-evaluate with that additional information.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c4rtyrzrgbz627k3qrs3jr580cmhs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments