Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Agent Mailbox
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Review recommended: the mailbox is mostly a local messaging tool, but crafted agent names can write files outside the mailbox area and message-supplied callbacks can automatically send task results to external URLs.
Install only if you trust the agents or users that can place messages in the mailbox. Use simple safe agent names, avoid enabling automatic cron processing for untrusted mailboxes, do not store secrets in messages, and allowlist or disable callback URLs before processing tasks automatically.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A malformed or malicious agent/recipient name could cause local files and folders to be created outside the mailbox area within the user's permissions.
Why it was flagged
The public recipient field is joined directly into a filesystem path with no visible validation or base-directory containment check, so crafted names such as ../ paths could create/write mailbox files outside the intended mailbox directory.
Skill content
export interface SendOptions { to: string; ... } ... const recipientInboxPath = path.join(this.basePath, options.to, 'inbox'); fs.mkdirSync(recipientInboxPath, { recursive: true }); await this.saveMessage(message, recipientInboxPath);Recommendation
Restrict agent names to a safe character set, normalize paths, and verify every resolved mailbox path remains under the intended ~/.openclaw/workspace/mailbox directory before creating or writing files.
What this means
If automatic heartbeat processing is enabled, a message from an untrusted or compromised source could make the agent send task outputs to an attacker-controlled URL.
Why it was flagged
The callback URL comes from message metadata and receives task results, but the example does not show sender authentication, domain allowlisting, or user confirmation before posting data externally.
Skill content
if (msg.metadata?.callback_url) { await callWebhook(msg.metadata.callback_url, { task_id: msg.metadata.task_id, status: 'completed', result: taskResult }); } ... fetch(url, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(payload) })Recommendation
Only honor callbacks from trusted senders, require explicit opt-in for external callbacks, allowlist callback domains, and avoid sending sensitive task results unless the destination is verified.
What this means
The mailbox can keep acting on urgent messages on a schedule, which may surprise users if untrusted messages enter the mailbox.
Why it was flagged
The recurring cron workflow is disclosed and user-directed, but it keeps processing mailbox messages in the background after setup.
Skill content
openclaw cron add --schedule "every 5 minutes" --task "openclaw mail process-urgent" ... This will automatically: ... Process high-priority tasks ... Execute callbacks ... Archive expired messages
Recommendation
Enable the cron job only when needed, monitor its logs, and disable it for mailboxes that may receive untrusted task messages.
What this means
A cloud API key could allow message syncing to the configured backend if that feature is used.
Why it was flagged
Optional cloud sync would involve a backend API key. This is purpose-aligned, but users should treat that key as delegated access to their sync backend.
Skill content
openclaw mail config set cloud-url https://your-backend.com openclaw mail config set cloud-api-key sk_...
Recommendation
Use a narrowly scoped backend key, avoid sharing it in messages, and verify where synced mailbox data is stored before enabling cloud sync.