Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is not clearly malicious, but it gives an agent broad email, admin, persistent-service, and inter-agent powers that need careful review before use.
Install only if you want an agent to operate a real mailbox and related services. Use an agent-scoped key instead of a master key for normal use, require explicit confirmation for sends/deletes/rules/admin actions, inspect the external setup command before running it, and run the Docker services in an isolated environment with a clear cleanup plan.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken, over-eager, or prompt-influenced agent could send mail, delete or move mailbox content, or create rules that keep affecting future messages.
The skill exposes tools that can send external messages, delete multiple emails, and create automatic mail-processing rules. These are purpose-aligned, but high-impact mutations are not clearly bounded by per-action approval, rollback, or scope limits in the provided artifacts.
`agenticmail_send` | Send an email ... `agenticmail_batch_delete` | Delete multiple messages by UIDs ... `agenticmail_rules` | Manage server-side email rules for auto-processing
Use only with explicit confirmations for sending, deleting, rules, and scheduled actions; prefer least-privilege accounts and review audit logs regularly.
If configured with a master key, the agent could create or delete agent accounts and manage domain/gateway settings, not just operate its own mailbox.
The API distinguishes agent-scoped keys from a master key that can perform account and domain management. The configuration docs also show a `masterKey` in plugin config, which could give the agent admin authority beyond normal mailbox access.
Master Key (`mk_...`): Admin operations (account/domain management)
Do not place the master key in routine agent configuration unless absolutely required; use an agent-scoped key for normal email tasks and keep admin actions separate.
Installing requires trusting external setup code to modify local services, credentials, plugin configuration, and gateway state.
The main setup path performs high-impact local configuration through a CLI implementation not included in the provided files, and the artifact set has no install spec to pin or review that setup behavior.
`agenticmail openclaw` ... sets up the mail server, creates an agent account, configures the plugin, and restarts the gateway.
Inspect and pin the external package/CLI before running setup; run setup manually in an isolated environment when possible.
Sensitive email or task content could be shared with another agent if workflows delegate too broadly.
Inter-agent messaging and task delegation are disclosed and central to the skill, but the artifacts do not describe trust boundaries, identity verification, or what data may be shared with other agents.
`agenticmail_message_agent` | Send a message to another AI agent by name (rate-limited) ... `agenticmail_call_agent` | Call another agent (sync or async). Preferred method for all delegation.
Delegate only information intended for the receiving agent, verify agent identities/roles, and avoid sharing secrets or private mailbox contents through inter-agent calls.
The mail/API services may continue running and storing data after the agent task is finished.
The setup script starts Docker services in detached mode, creating a long-running local service. That is expected for a mail server, but users should recognize it persists beyond the immediate task.
docker compose up -d
Know how to stop the containers, rotate keys, and remove generated data if you no longer need the service.