Skillv1.0.0

ClawScan security

Agent Mailbox · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 7:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly coherent with a local file-based mailbox, but the runtime instructions and examples encourage automatic task execution and webhook callbacks (potential exfiltration) and the docs mention cloud sync features that aren't implemented in the shipped code — review before enabling automation or cloud sync.
Guidance: This skill provides a local file-based mailbox and appears to implement the advertised CLI/API, but proceed carefully: - Review the code before enabling automation: examples (agent-heartbeat) will automatically execute tasks and POST results to callback URLs included in messages. A malicious message could cause your agent to send data to an attacker-controlled endpoint. - Do not enable cron/heartbeat processing until you trust message senders or add validation/whitelisting. Prefer manual review (openclaw mail check / read) before acting on tasks. - The README/SKILL.md mention optional cloud sync and cloud-api-key configuration, but the provided code contains no cloud sync implementation — do not provide cloud credentials until you see a clear, reviewed implementation. - Messages are stored under ~/.openclaw/workspace/mailbox; ensure filesystem permissions are appropriate and consider encrypting sensitive data before storing or waiting for the 'optional encryption' feature. - If you plan to use webhooks/callback URLs from messages, sanitize and validate destinations and the data you send. Treat callback_url and metadata as untrusted input. If you want a safer install: keep mailbox local-only, disable scheduled processing, and implement explicit checks (sender authentication, URL allowlist, limits on data sent) before enabling heartbeat automation or cloud sync.

Review Dimensions

Purpose & Capability: noteThe code and CLI implement a local file-based mailbox that matches the name/description (messages stored under ~/.openclaw/workspace/mailbox, send/read/reply/archive). However SKILL.md refers to optional cloud sync and config commands (cloud-url / cloud-api-key) and a cloud sync feature which is not present in the provided code — a mismatch between docs and implementation.
Instruction Scope: concernSKILL.md and the example heartbeat explicitly instruct agents to automatically process high-priority messages, execute tasks referenced by message metadata, and call callback URLs. The example agent-heartbeat performs network POSTs (fetch) to callback URLs derived from message metadata and suggests cron-based automation. That means a message from an untrusted sender could cause your agent to perform work and send results to arbitrary external endpoints (exfiltration risk). The mailbox core itself does not execute shell commands, but the provided examples push automatic execution as the default behavior — this expands the runtime scope and risk.
Install Mechanism: okNo install spec or remote downloads are present; this is an instruction+source bundle. No external packages are installed at runtime by the skill itself. That keeps installation footprint low.
Credentials: noteThe skill declares no required environment variables or secrets (good). The code does read process.env.HOME (fallback to /tmp) and uses process.env.AGENT_NAME or process.env.USER to identify the agent; these are reasonable but are not documented in requires.env. SKILL.md suggests setting cloud API keys via 'openclaw mail config', yet no cloud sync implementation exists in the code — so requests for cloud credentials would be out-of-band and should be treated cautiously when/if added.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills. It writes files to ~/.openclaw/workspace/mailbox (its own data) which is expected. However the docs encourage cron integration so operators may configure periodic processing — that automation increases blast radius if enabled without validation of incoming messages.