ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Manage Email

v1.1.1

Interact with your email inbox using mail-cli commands: read, search, send, reply, mark, move, delete, manage folders, drafts, and accounts via CLI.

0· 24·0 current·0 all-time
byLaffy@mirai3103
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Manage Email via mail-cli) align with the runtime instructions: all examples and workflows are about reading, searching, sending, and managing email via a 'mail-cli' tool.
Instruction Scope
SKILL.md stays within the email-management domain and does not instruct reading arbitrary system files or unrelated environment variables. It does instruct running mail-cli commands that may download attachments to disk and attach local files, and it includes an npm install example; those runtime actions will access mailbox data and the filesystem and should be expected and monitored.
!
Install Mechanism
Although the registry has no formal install spec, the SKILL.md explicitly recommends 'npm install -g @laffy1309/emailcli'. That is an unsigned, third-party package name (unknown author) and a global npm install can run arbitrary code on the host. This is the primary risk signal.
Credentials
The skill declares no required env vars or credentials and expects local mail-cli account configuration (e.g., 'mail-cli account add') to provide provider auth. That is proportionate, but the skill does not document how OAuth/credentials are handled; attachments and mailbox access mean sensitive data will be reachable by the CLI and by any agent-run processes.
Persistence & Privilege
always is false and the skill does not request persistent or system-wide configuration changes in the manifest. Autonomous invocation is allowed (platform default) but not combined with other high-privilege requests in the manifest.
What to consider before installing
Before installing or invoking this skill: 1) Do not run the 'npm install -g @laffy1309/emailcli' command unless you have verified the package source (npm page, repository, maintainer) and audited its code or trust the author. Global npm installs can execute arbitrary code. 2) Expect the CLI to access your mail accounts, attachments, and the filesystem (downloads/attachments). Run it in a controlled environment or sandbox if you need to test. 3) Confirm how you will authenticate provider accounts (OAuth flows, stored credentials) and whether those credentials are stored locally; the skill does not declare or manage secrets itself. 4) If you will allow the agent to invoke the skill autonomously, require explicit user confirmation for sending or deleting emails to avoid accidental data loss or exfiltration. 5) If you need a higher-assurance integration, prefer an official client or a vetted package/repository and inspect its source before granting access.

Like a lobster shell, security has layers — review code before you run it.

latestvk9785d2vcy7chx07m5vxb2wgx9849dya

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments