ClawHub

Sendook Email (Restricted)

v1.1.0

Read and send emails from an existing Sendook inbox. Use when an AI agent needs to check for new emails, read messages, reply to conversations, or send new emails from a pre-configured inbox. Limited to message operations only — no inbox creation, domain management, or webhook configuration.

0· 895·0 current·0 all-time
by@obaid
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description declare read/send operations for a pre-configured Sendook inbox and the skill only requests SENDOOK_API_KEY and SENDOOK_INBOX_ID — both directly necessary for the stated operations. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md contains concrete API and SDK examples limited to listing/getting threads/messages, sending messages (including attachments) and explicitly forbids inbox/domain/key management. It warns not to read sensitive local files and requires explicit user confirmation before attaching local files. It does not instruct reading unrelated system state or exfiltrating data to unexpected endpoints.
Install Mechanism
The skill is instruction-only (no install spec or code files), which is low-risk. The README recommends installing the @sendook/node npm package — installing a third-party package introduces the usual supply-chain considerations (verify package provenance, author, and repository). The recommendation is reasonable for the SDK but is worth verifying before npm install.
Credentials
Only two environment variables are required (SENDOOK_API_KEY as primary credential, SENDOOK_INBOX_ID). Both are necessary and proportional for accessing a specific Sendook inbox. The SKILL.md also explicitly recommends using a least-privileged API key scoped to the inbox.
Persistence & Privilege
Skill is not marked always:true and does not request persistent or elevated platform privileges. It is user-invocable and can be invoked autonomously (platform default), which is expected for a messaging integration. No instructions modify other skills or global agent settings.
Assessment
This skill appears coherent for its purpose, but before installing: (1) verify the Sendook SDK package (@sendook/node) and its upstream repository are legitimate (check the npm publisher and GitHub repo), (2) create and use a least-privileged API key scoped only to the inbox you want the agent to access, (3) avoid placing the API key in shared or committed files — store it in a secure environment variable store, (4) confirm any local files to attach explicitly with the user before reading them (the SKILL.md also recommends this), and (5) remember that installing the SDK (npm install) will pull third-party code — revoke the API key if you stop using the skill or suspect compromise.

Like a lobster shell, security has layers — review code before you run it.

latestvk974h83x877jcvt1apm744nv6h80y0kq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSENDOOK_API_KEY, SENDOOK_INBOX_ID
Primary envSENDOOK_API_KEY

Comments