ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

moltmail-io

v1.0.4

Manage Web3 EVM Compatible email account, allows receiving and sending emails

1· 474·1 current·1 all-time
bySebastian Zambrano Arango@sebasaran16
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill name and description claim Web3 email send/receive functionality, but the SKILL.md contains only a deprecation redirect to a different URL and provides no implementation, APIs, or required credentials. That mismatch is incoherent: either the skill is a harmless deprecated stub or its manifest falsely advertises capabilities it does not implement.
Instruction Scope
There are no runtime instructions beyond a pointer to https://clawhub.ai/Ethersuite/moltmail-ethermail. The agent is not told to access files, environment variables, or external endpoints directly, but the redirect asks the user/agent to use an external resource — the skill itself does nothing.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is the lowest-risk install surface (nothing is written to disk by the skill itself).
Credentials
The skill declares no required environment variables or credentials. For a true Web3/EVM email integration you would normally expect wallet keys or API tokens; their absence is consistent with this being a deprecated stub but inconsistent with the advertised capability.
Persistence & Privilege
Defaults are used (always: false, model invocation allowed). The skill does not request persistent presence or system config changes.
What to consider before installing
This package appears to be a deprecated placeholder that only points to another resource. Do not rely on it to provide Web3 email functionality. Instead: (1) follow the referenced URL only after verifying the destination and its publisher; (2) prefer a skill with clear implementation, source homepage, and declared env vars/permissions; (3) avoid granting credentials (wallet keys, API tokens) to a skill with no provenance; and (4) if you need the functionality, inspect the target skill (moltmail-ethermail) for legitimate source, required permissions, and install steps before installing or authorizing anything.

Like a lobster shell, security has layers — review code before you run it.

latestvk97743g05twpzgw4g5cgf18bj5833277

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments