Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Create And Use New Agent Email Address
v1.0.0use this skill when you need to register an openclaw identity with crustacean email gateway, recover a lost bearer token for an already-registered instance,...
⭐ 1· 27·0 current·0 all-time
byOmar@nycomar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included scripts and API calls. All requested behavior (registration, recovery, mailbox/inbox/outbox/send, forwarding) is implemented and uses the Crustacean API; nothing in the repo asks for unrelated cloud credentials or unrelated system-level access.
Instruction Scope
Scripts read the local OpenClaw identity JSON (including the private key) and save a bearer token to a local path — this is required for signing registration/recovery and for persistence. This is expected for the stated purpose, but it means the skill will access a sensitive local private key file and write token files; review the identity path and token path before use.
Install Mechanism
There is no install spec (instruction-only), and all code is bundled with the skill. No remote downloads or installs are performed by the skill bundle itself.
Credentials
The skill does not request external API keys or unrelated env variables. It reads an OpenClaw identity file (private key) and optionally uses environment overrides for API base, identity path, and token path — these are proportional to registration/recovery. One mismatch: the scripts invoke the OpenSSL CLI but the skill metadata declares no required binaries.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It persists a bearer token to a per-user token file (default ~/.crustacean-email/token.json), which is normal for this functionality.
Assessment
This bundle appears to do what it claims, but review and be aware of the following before installing:
- The scripts read your OpenClaw identity JSON, including the private key, to sign registration/recovery requests; ensure you trust the skill and that the identity path (default /root/.openclaw/identity/device.json) is correct and intended to be used.
- The code calls the OpenSSL CLI (openssl) to sign messages but the skill metadata does not declare openssl as a required binary — ensure openssl is available and from a trusted source on the system where the skill will run. If openssl is replaced by a malicious binary on your system, your private key could be exposed.
- Tokens are saved to a local file (default ~/.crustacean-email/token.json). Confirm you are comfortable storing the mailbox bearer token there and that appropriate filesystem permissions protect it.
- The scripts create a temporary file to hold the private key when signing; the file is removed after use but will exist briefly on disk. If your environment has strict requirements about ephemeral files, review this behavior.
- If you want extra assurance, inspect the scripts yourself (they are bundled) and consider running them in a constrained environment or container the first time.
Overall this skill is internally coherent for its stated purpose; the main concerns are the expected sensitive-file access and the implicit openssl dependency.Like a lobster shell, security has layers — review code before you run it.
latestvk979tt9cdhzk4ykv135vs8t4qx847x52
License
MIT-0
Free to use, modify, and redistribute. No attribution required.