Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agentmail Temp
v1.0.0API-first email platform designed for AI agents. Create and manage dedicated email inboxes, send and receive emails programmatically, and handle email-based...
⭐ 0· 174·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (API-first email platform) matches the included code (send/check inbox, webhook setup) and examples. However the registry metadata lists no required environment variables or config paths while the README and scripts clearly expect AGENTMAIL_API_KEY and recommend creating files under ~/.clawdbot. That metadata mismatch is inconsistent.
Instruction Scope
SKILL.md and references instruct the agent/user to create allowlist transforms and edit Clawdbot config at ~/.clawdbot/clawdbot.json and restart the gateway. Those instructions reach into a global agent gateway configuration (affecting how webhooks are processed) and therefore expand scope beyond merely offering an API client. The SKILL.md also contains examples of dangerous email text (prompt-injection examples) which were flagged by the pre-scan; the examples appear to be warnings, but the presence of prompt-injection patterns warrants attention.
Install Mechanism
There is no install specification (instruction-only) and included scripts are plain Python. No downloads from untrusted URLs or automatic extraction/execution are present. Risk from install mechanism is low.
Credentials
The skill and scripts require AGENTMAIL_API_KEY (used in all scripts and examples) and recommend other secrets (webhook_secret verification, optional GITHUB_TOKEN in examples), but the registry metadata declares no required environment variables or primary credential. Requesting an API key for the email provider is expected, but the omission from metadata is an inconsistency and the examples mention other secrets without declaring them.
Persistence & Privilege
The skill instructs writing a transform file into ~/.clawdbot/hooks and editing ~/.clawdbot/clawdbot.json — i.e., modifying the gateway's hook mappings. Modifying system- or agent-level configuration for webhook transforms is a meaningful privilege and should be done only with explicit user consent; the skill's metadata does not advertise this. always:false and no automatic installation reduces risk but the instructions still advise persistent changes to the agent environment.
Scan Findings in Context
[ignore-previous-instructions] expected: The phrase appears inside SKILL.md as an example of malicious email content (a warning about prompt injection). The pre-scan flagged it as an injection pattern; in this context it's presented as a threat example, not as an instruction the skill executes. Still, presence of these examples indicates the skill authors are aware of prompt-injection risks.
What to consider before installing
This skill implements an email API client and webhook helpers and appears to do what it says — but there are important inconsistencies and privileges to review before installing:
- Metadata mismatch: the registry metadata claims no required env vars, but the scripts and README require AGENTMAIL_API_KEY (and examples reference webhook signing secrets and optional GITHUB_TOKEN). Treat AGENTMAIL_API_KEY as required.
- Global config changes: the SKILL.md instructs you to create a transform file under ~/.clawdbot/hooks and edit ~/.clawdbot/clawdbot.json. Those steps modify your agent gateway behavior for all webhooks; do not do this unless you understand and trust the code and the author.
- Least privilege: if you try it, create a dedicated AgentMail API key with minimal permissions and use a test account/inbox (do not use production or admin credentials).
- Verify webhook signing: follow the webhook verification guidance (use a webhook secret) and keep hooks restricted to HTTPS endpoints you control.
- Audit the scripts: inspect the included Python files before running them; they are straightforward, but run them in an isolated/dev environment first (or inside a container) rather than on critical hosts.
- Source trust: the skill has no homepage and an unknown owner; prefer packages with verifiable authorship. If you need to enable an allowlist transform in your gateway, add it manually after reviewing the code and ensure it only touches the intended mappings.
If you want me to, I can: (1) extract the exact places where AGENTMAIL_API_KEY and other secrets are referenced, (2) show the minimal changes needed to apply a webhook transform safely, or (3) rewrite the allowlist transform to be more conservative and produce a diff you can review.SKILL.md:89
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97eznt9jg6mkc7hnmge9r9e0582vg5j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.