ClawHub

Post

v1.5.0

Manage IMAP email with the Post CLI and local daemon. Use when reading, searching, fetching, drafting, replying, reply-all, moving, archiving, trashing, expo...

0· 109·0 current·0 all-time
byOliver Drobnik@odrobnik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (post, postd), and the Homebrew install formula align with a local macOS mail CLI/daemon. Required items are proportional to the stated functionality.
Instruction Scope
Runtime instructions stay on-topic (search, fetch, draft, reply, attachments, daemon setup). They explicitly describe optional config files (~/.post.json), scoped API-key usage, and daemon hook commands. Important: hook commands receive environment variables and a JSON payload and can run arbitrary scripts/commands — this is expected for hook functionality but is the primary area where data (email contents, metadata, and tokens if misconfigured) could be exposed or acted on.
Install Mechanism
Install uses a Homebrew formula from cocoanetics/tap, a standard macOS package mechanism. This is an expected and low-risk install channel for a macOS-only CLI/daemon.
Credentials
The skill does not require environment variables to function, but the documentation instructs using scoped POST_API_KEY tokens and optionally storing them in an agent workspace .env file. Requesting and using API tokens is appropriate, but these tokens grant mailbox access and must be scoped and protected (chmod 600, avoid global shells).
Persistence & Privilege
always is false and the skill does not request system-wide privileges beyond optional LaunchAgent instructions to auto-start the daemon. The provided LaunchAgent and daemon controls are appropriate for a background mail daemon on macOS; no evidence the skill modifies other skills or system-wide agent configs beyond standard daemon install steps.
Assessment
This skill appears to do exactly what it says: manage IMAP mail via a local CLI and daemon installed from Homebrew. The main risks are operational: 1) Scoped POST_API_KEY tokens grant mailbox access — only give agents the narrowest token they need, store tokens in a restricted workspace (.env with chmod 600) and rotate/delete tokens when unused. 2) If you configure a daemon hook (command), that script will receive email metadata and a JSON payload and can run arbitrary commands on your machine; only use trusted hook scripts and avoid placing hook scripts in paths writable by untrusted agents. 3) Auto-starting postd via LaunchAgent is normal for a daemon but gives continuous background access to mail; ensure you trust the software and the Homebrew tap. If you want added assurance, review the Homebrew formula source and the upstream GitHub repo releases before installing and restrict agent permissions to scoped tokens rather than full-access credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ya6tj17c20xbm1578ac8hs833n60

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏤 Clawdis
OSmacOS
Binspost, postd

Install

Install post via Homebrew
Bins: post, postd
brew install cocoanetics/tap/post

Comments