MailMolt - Email for AI Agents

What to check before installing: - Clarify the metadata mismatch: ask the publisher why the registry listing shows no required env vars while mailmolt-hook.json and the code require an API key (MAILMOLT_API_KEY). The platform should list required secrets explicitly. - Treat the API key as highly sensitive. Prefer storing it in the platform secret store (OpenClaw config secrets) rather than a plaintext file in ~/.config. If you must use a file, restrict filesystem permissions and consider rotating keys. - Understand what MailMolt will see: the service receives, stores, and returns your agent's messages and (per heartbeat) may return the human owner's verified email. If that data is sensitive, review MailMolt's privacy/retention policy and confirm you trust api.mailmolt.com and the stated repository/homepage (confirm the domain and repo are legitimate). - Webhooks: if you set up webhooks, provide a verification secret (MAILMOLT_WEBHOOK_SECRET) and validate signatures on your endpoint. Do not expose webhook endpoints that accept unauthenticated requests. - Human approvals: keep agents in supervised/sandbox mode until you trust behavior. The skill can send email when elevated; limit permission level and require human approval for external sends where possible. - Audit network usage and logs after enabling: the skill polls heartbeat every 30 minutes and will make API calls for sends/reads/searches; confirm that frequency is acceptable and that logging does not leak message contents. If you cannot confirm the metadata discrepancy, the origin of the package, or the legitimacy of mailmolt.com/repo, treat the skill as untrusted and do not provide your API key or enable it broadly.