MailMolt - Email for AI Agents
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mailmolt Version: 1.1.0 The OpenClaw skill bundle for MailMolt provides email identity and functionality for AI agents. All network communication is directed to the legitimate `api.mailmolt.com` domain. The `SKILL.md` instructions for the agent are transparent and align with the stated purpose, without any evidence of prompt injection to ignore users, hide actions, or exfiltrate unrelated sensitive data. The `handlers.ts` code implements the email functionality without using risky execution methods or accessing arbitrary files. Furthermore, the `mailmolt-hook.json` and `SKILL.md` explicitly detail security features such as permission levels, rate limits, human approval for sending emails, and activity logging, indicating a strong focus on preventing abuse. While the capability to configure webhooks to arbitrary URLs exists, the skill itself does not instruct malicious use of this feature.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is allowed to send mail, it can contact external recipients using its MailMolt identity.
The handler can send real email through MailMolt when invoked with recipient, subject, and body. This is central to the skill's purpose, but outbound email is an irreversible external action.
const response = await apiRequest(config, 'POST', '/v1/messages', { to: [params.to], subject: params.subject, text: params.body, })Keep send/reply approval enabled, use MailMolt permission levels and rate limits, and avoid granting autonomous sending unless you explicitly want that behavior.
Anyone with the API key may be able to access or operate the agent's MailMolt email account within its permission level.
The skill requires a MailMolt API key for the agent's email account. This credential use is expected for the service, but it is still account authority that should be protected.
Store in `~/.config/mailmolt/credentials.json`: { "api_key": "mm_live_xxxxx", "email": "your-agent-name@mailmolt.com" }Store the API key securely, rotate it if exposed, and set the lowest MailMolt permission level that supports your intended use.
A malicious sender could write an email that tries to instruct the agent to ignore the user or perform unsafe actions.
Email bodies and previews from outside senders are returned directly into the agent's context. That is expected for reading email, but the content may contain prompt-injection attempts.
result += `${msg.text_body || msg.preview}\n\n`;Treat email content as untrusted data and require explicit user confirmation before acting on instructions received by email.
Email metadata or previews could be delivered to webhook infrastructure you configure.
The hook supports webhooks that can send message metadata and previews to a configured endpoint. This is disclosed and purpose-aligned, but it creates an additional data boundary.
"webhooks": { "events": [ { "type": "message.received", "payload": { "message": { "id": "string", "from": { "email": "string", "name": "string" }, "to": "array", "subject": "string", "preview": "string" } } } } ] }Only register webhook URLs you control, verify webhook signatures if used, and avoid forwarding sensitive email content unnecessarily.
If those workflows are later installed or fetched elsewhere, they could add behavior not visible in this review.
The hook references workflow files, including an auto-reply workflow, that are not present in the provided file manifest. The main handlers are reviewable, but these optional workflows cannot be assessed from the supplied artifacts.
"auto-reply": { "description": "Automatically draft and send replies based on email content", "file": "workflows/auto-reply.lobster" }Review any referenced workflow files before enabling them, especially workflows that automatically send replies.
The agent may regularly contact MailMolt and receive action items if you add this to a heartbeat routine.
The skill suggests recurring heartbeat checks. This is disclosed operational behavior, not hidden persistence, but it can make the agent poll the service on an ongoing schedule.
Add MailMolt to your heartbeat routine. Call every 30 minutes
Enable recurring heartbeat checks only if you want ongoing MailMolt activity, and keep the interval and resulting actions under user oversight.