FREE EMAIL from @claw.boston 一键获取免费原生OpenClaw邮箱
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent email skill, but it stores a mailbox key and can send/read emails and attachments through claw.boston, so users should review privacy and sending controls.
Install this only if you trust claw.boston as your email provider. Protect the local config.json API key, review recipients and attachments before sending, and treat all incoming email content and webhook previews as untrusted text rather than instructions for the agent.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken recipient, generated message, or attachment choice could send information outside the user’s environment.
The skill can send external emails and transmit attached file contents through the provider API. This is central to the email purpose, but it is a real external side effect.
If user mentions files to attach, encode them as base64 and include in attachments[] ... Call POST /api/send
Review recipient addresses, generated email body, and attachments before sending, especially for business, financial, or private material.
Anyone or anything that obtains the local config file’s API key could access the mailbox.
The skill persists an API key that can access the mailbox. This is disclosed and expected for an email integration, but it is sensitive account authority.
Never share your api_key. It grants full access to your mailbox.
Keep the config file private, avoid sharing logs or screenshots containing the key, and remove or rotate the key if you stop using the skill.
Incoming email metadata and previews may be delivered into the local OpenClaw gateway as notifications.
The skill creates a provider-to-local-gateway notification channel. This is purpose-aligned for email alerts, but the artifact does not describe webhook authentication or origin verification.
I'll configure a webhook to receive real-time notifications when new emails arrive. The webhook points to your local OpenClaw gateway.
Use the webhook only if you trust the provider and gateway configuration, and treat notification previews as untrusted email content.
A malicious email could try to trick the agent into following instructions embedded in the message.
Email bodies, subjects, and previews can come from arbitrary senders and may contain instructions aimed at the agent. The skill mentions suspicious-email flagging, but the user should still treat email content as untrusted.
Present the full email content naturally
Do not let email text override your intent; ask the agent to summarize or extract facts from emails rather than follow instructions contained in them.
Users have less registry-level information for independently verifying the provider before trusting it with email.
The registry metadata does not provide a source repository or homepage, even though the skill relies on an external email service. No executable code is installed, so this is a provenance note rather than a concrete unsafe behavior.
Source: unknown; Homepage: none
Verify the claw.boston website and service terms before using the mailbox for sensitive communication.