Sunday
v1.0.1Agent identity provider — own email address and E2E-encrypted credential vault. Use when storing or retrieving passwords for services, logging into services with stored credentials, checking email inbox, receiving OTP/verification codes via email, signing up for services, getting your agent's email address, or any task where the agent needs its own identity separate from the user's. Replaces 1Password + AgentMail with a single skill — no desktop app, no tmux, fully autonomous.
⭐ 0· 708·0 current·0 all-time
byRaunak Singwi@raunaksingwi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the runtime instructions: the SKILL.md shows CLI commands to get an agent email, read inbox, and store/retrieve encrypted passwords. Requiring a 'sunday' binary is consistent. However, the skill writes sensitive state to ~/.sunday/config.json (stores credentials/encryption keys) yet the registry metadata lists no required config paths or primary credential — an inconsistency that should have been declared.
Instruction Scope
SKILL.md instructs interactive login (opens browser, enter 6‑digit PIN) and then states that credentials and encryption keys are stored in ~/.sunday/config.json so subsequent commands run autonomously. The instructions give the agent explicit commands to list inboxes, fetch messages, and decrypt passwords. This is functionally expected for the stated purpose, but it grants autonomous access to highly sensitive data (email, OTPs, passwords) and the file path for those secrets is not declared in the skill manifest.
Install Mechanism
Install is via a Homebrew formula from a third‑party tap (ravi-technologies/tap/sunday). Homebrew itself is a common channel, but the tap is not a widely-known/official upstream and no homepage/source repo is provided in the metadata — you should verify the formula and upstream source before installing. The install type is not an arbitrary URL download, which reduces risk, but trust in the tap is unclear.
Credentials
The skill declares no required environment variables, but it stores encryption keys/credentials client-side in ~/.sunday/config.json and promises no further PIN prompts after initial login. That means the agent (and any process with access to that file) can access the vault persistently. The manifest did not declare this config path or any primary credential, so the degree of persistent secret access is understated in the metadata.
Persistence & Privilege
The skill is not force-installed (always:false) and model invocation is allowed (default). Autonomous invocation combined with stored local keys yields a higher blast radius because the agent can autonomously read inboxes and decrypt passwords without human re‑authentication. This combination is expected for this class of skill but is sensitive — verify you trust the binary and its install location.
What to consider before installing
Before installing: verify the Homebrew formula and upstream source (inspect the ravi-technologies tap and the sunday formula); confirm there is a trustworthy project repo and privacy/security documentation. Understand that after you run 'sunday auth login' the CLI will store encryption keys and credentials in ~/.sunday/config.json so the agent can access email and decrypted passwords without further prompts — treat that file as high‑value secret material. If you cannot verify the publisher, avoid installing the binary on a machine with other sensitive data (consider a disposable VM/container). Prefer vendors with a public code repo, audited client-side crypto details, and a clear privacy policy. If you proceed, inspect the installed binary and its config file permissions, and consider isolating the agent (restricted user account, minimal file permissions) to reduce risk of secret exposure.Like a lobster shell, security has layers — review code before you run it.
latestvk97baq4qpw5rxw38xpnshanqcn8133ww
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
☀️ Clawdis
Binssunday
Install
Install Sunday CLI via Homebrew
Bins: sunday
brew install ravi-technologies/tap/sunday