ClawHub

AgentMail sending and receiving with Python scripts

v1.0.0

python files which are used to send an email and to download received emails from an inbox. The email provider is agentmail.to, which offers an API. This way...

0· 329·0 current·0 all-time
byGerhard Lausser@lausser
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and instructions match the stated purpose: both scripts use the agentmail Python client to list, fetch, mark read, send, and reply to messages for an inbox. However, the registry metadata declares no required environment variables or primary credential, while the runtime clearly needs AGENTMAIL_API_KEY — an inconsistency between declared requirements and actual capability.
Instruction Scope
SKILL.md and the scripts confine activity to the workspace (~/.openclaw/workspace/agentmail), create a virtualenv, install PyPI packages, read an AGENTMAIL_API_KEY from a .env or environment, call the agentmail API, and write MAIL.* JSON files. The instructions do not ask the agent to read unrelated system files or send data to unexpected endpoints beyond the agentmail API.
Install Mechanism
There is no formal install spec in the registry; SKILL.md instructs creating a venv and running 'pip install agentmail python-dotenv' from PyPI. Installing PyPI packages is expected for a Python skill but carries moderate risk (verify the agentmail package and its provenance). The install actions write files to the user's workspace, which is expected behavior here.
!
Credentials
The scripts require AGENTMAIL_API_KEY, but the registry metadata lists no required environment variables or primary credential. This omission is a mismatch that could cause users to overlook the need to supply a secret. SKILL.md also mentions reading openclaw.json as an alternative source for the key (the scripts themselves only load .env or the process environment), which creates ambiguity about where secrets will be stored. No other unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges. It installs to and runs from a workspace-specific directory and does not modify other skills or system-wide configs. Autonomous invocation (disable-model-invocation=false) is the platform default and is not by itself concerning here.
What to consider before installing
This skill appears to be a straightforward agentmail client, but the registry metadata does not declare the AGENTMAIL_API_KEY that the scripts require. Before installing: 1) Confirm the source (review the linked GitHub repo and verify the agentmail PyPI package is legitimate and popular). 2) Do not place unrelated secrets into ~/.openclaw/workspace/agentmail/.env or openclaw.json — only store the agentmail API key there if you accept the risk. 3) Update or ask the publisher to update the skill metadata to declare AGENTMAIL_API_KEY as a required credential so automated checks will surface it. 4) Run the scripts in an isolated environment or VM if you are unsure, and replace the REPLACE_WITH_* placeholders before use. If you need higher assurance, request the publisher to provide a formal install spec and to sign/release the agents or packages used.

Like a lobster shell, security has layers — review code before you run it.

agentmailvk9707n1fakvctbt3ybc9et9dnn81z2m5emailvk9707n1fakvctbt3ybc9et9dnn81z2m5latestvk9707n1fakvctbt3ybc9et9dnn81z2m5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments