Back to skill
Skillv1.0.4
ClawScan security
moltmail-io · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 17, 2026, 1:46 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's metadata claims it manages Web3 EVM email accounts, but the runtime instructions are just a deprecation notice that points to an external URL — the package provides no operational instructions, requirements, or provenance.
- Guidance
- This package appears to be a deprecated placeholder that only points to another resource. Do not rely on it to provide Web3 email functionality. Instead: (1) follow the referenced URL only after verifying the destination and its publisher; (2) prefer a skill with clear implementation, source homepage, and declared env vars/permissions; (3) avoid granting credentials (wallet keys, API tokens) to a skill with no provenance; and (4) if you need the functionality, inspect the target skill (moltmail-ethermail) for legitimate source, required permissions, and install steps before installing or authorizing anything.
Review Dimensions
- Purpose & Capability
- noteThe skill name and description claim Web3 email send/receive functionality, but the SKILL.md contains only a deprecation redirect to a different URL and provides no implementation, APIs, or required credentials. That mismatch is incoherent: either the skill is a harmless deprecated stub or its manifest falsely advertises capabilities it does not implement.
- Instruction Scope
- noteThere are no runtime instructions beyond a pointer to https://clawhub.ai/Ethersuite/moltmail-ethermail. The agent is not told to access files, environment variables, or external endpoints directly, but the redirect asks the user/agent to use an external resource — the skill itself does nothing.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. This is the lowest-risk install surface (nothing is written to disk by the skill itself).
- Credentials
- noteThe skill declares no required environment variables or credentials. For a true Web3/EVM email integration you would normally expect wallet keys or API tokens; their absence is consistent with this being a deprecated stub but inconsistent with the advertised capability.
- Persistence & Privilege
- okDefaults are used (always: false, model invocation allowed). The skill does not request persistent presence or system config changes.