Skillv1.0.0

ClawScan security

Agentemail · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 4:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and docs look like a legitimate agent-focused email SDK, but there are inconsistencies in the registry metadata (it omits the required AGENTMAIL_API_KEY), and the runtime instructions ask you to write transforms into ~/.clawdbot and wire up webhooks — things you should review before installing or running with real credentials.
Guidance: This skill appears to implement an agent-friendly email API and includes useful scripts, but proceed cautiously: - Do not run the included scripts or pip install the 'agentmail' SDK until you verify the SDK's provenance (PyPI package, author, homepage). Treat AGENTMAIL_API_KEY as a sensitive secret. - Confirm the registry metadata is corrected — the skill requires AGENTMAIL_API_KEY (the registry currently lists no env vars). Ask the publisher to declare required env vars and primary credential. - Review the Clawdbot transform (~/.clawdbot/hooks/email-allowlist.ts) before creating it; the transform runs on incoming webhooks and could change how messages are delivered. Only allow trusted senders. - When you register webhooks, use HTTPS and verify webhook signatures (the docs show HMAC verification). Use a secret; don’t accept unauthenticated webhook payloads. - For development, run in an isolated environment or ephemeral account (don’t connect real, high-privilege accounts). Avoid exposing other credentials (GITHUB_TOKEN, etc.) unless necessary and reviewed. - Because the publisher/source/homepage are not provided, prefer testing in a sandbox and request more publisher metadata (homepage, repo, contact) before using in production.
Findings: [prompt-injection-ignore-previous-instructions] expected: The scanner flagged 'ignore-previous-instructions' pattern. SKILL.md intentionally mentions that pattern as an example of malicious email content and instructs allowlisting/defenses against it, so the presence of this pattern in the docs is expected contextually (it's a warning), not evidence of the skill trying to inject prompts itself.

Review Dimensions

Purpose & Capability: noteThe name, description, SKILL.md and included scripts all consistently implement an API-first email service for agents (create inboxes, send/receive messages, webhooks). That functionality reasonably explains the included scripts (send_email.py, check_inbox.py, setup_webhook.py) and references to a Python SDK. However the registry metadata declares no required environment variables or primary credential, while the SKILL.md and scripts clearly require AGENTMAIL_API_KEY — this metadata omission is an inconsistency and reduces trust.
Instruction Scope: noteSKILL.md and references provide concrete, bounded instructions for SDK install, creating webhooks, and defensive transforms. They explicitly warn about prompt-injection via incoming emails and recommend allowlisting via a Clawdbot transform written to ~/.clawdbot/hooks/email-allowlist.ts and updating ~/.clawdbot/clawdbot.json. Asking the user to add/modify files in their home config and to restart the gateway is reasonable for webhook filtering, but this is a privileged action on the user's agent environment and should be performed only after review. The instructions do not appear to stealthily read unrelated files or exfiltrate data, but they grant discretion to run user code (the transform) so review is warranted.
Install Mechanism: okThere is no install spec in the registry (instruction-only), and the skill includes scripts and documentation that instruct users to pip install the 'agentmail' SDK and other standard tools (python-dotenv, flask, ngrok). No arbitrary binary downloads or obscure URLs are present. Risk is typical for Python packages — verify the SDK package and its provenance before pip installing.
Credentials: concernThe skill's runtime docs and scripts require an API key (AGENTMAIL_API_KEY) and the sample code references other optional env vars (e.g., GITHUB_TOKEN) for integrations. The registry metadata, however, lists no required env vars or primary credential — this mismatch is concerning because the skill will fail or prompt for secrets at runtime and the registry did not surface that it needs an API key. Requesting an AgentMail API key is proportionate to the skill's purpose, but the omission in metadata is a red flag that deserves correction. Also the webhook verification guidance implies use of a webhook secret — users should ensure they store and protect that secret.
Persistence & Privilege: okThe skill does not request 'always: true' or any automatic elevated platform presence. It instructs the user to add a transform script under their own ~/.clawdbot hooks directory and to restart a local gateway; these are user-controlled actions and not automatic persistence of the skill. No code in the package attempts to modify other skills' configs or system-wide settings beyond the user-editable Clawdbot config the docs describe.