Thrd Skill
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears coherent and purpose-aligned for a dedicated agent email inbox, but users should protect its API key and carefully control outbound email, billing, polling, and callback use.
Install this only if you want your agent to operate a dedicated thrd.email inbox. Keep THRD_API_KEY in a secret manager, define approval rules for outbound email and billing upgrades, use the default trusted API endpoint, and be cautious with the polling daemon and any --on-events callback.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is allowed to use these capabilities too broadly, it could contact recipients or initiate an account upgrade flow in ways the user did not intend.
The documented API can send or reply to email and create billing checkout URLs. These are central to the skill's purpose and disclosed, but they are higher-impact actions.
**POST** `https://api.thrd.email/v1/reply` **POST** `https://api.thrd.email/v1/send` ... **POST** `https://api.thrd.email/v1/billing/checkout/self`
Set clear agent policy for when email may be sent or replied to, require human approval for sensitive outbound messages and plan changes, and monitor usage limits.
Anyone who obtains the API key could operate the Thrd inbox and related tenant functions available to that key.
The skill provisions and uses a service API key for the dedicated inbox. The artifact warns not to persist it, which is good, but the key grants account authority.
This prints a JSON payload to stdout that includes `api_key`... Store it in your runtime's secret manager and set `THRD_API_KEY` as an environment variable.
Store THRD_API_KEY only in a secret manager, avoid pasting it into chat or logs, and rotate it if it is exposed.
Using an untrusted base URL could disclose the API key to a non-Thrd service.
The poll daemon sends the bearer token to the configured base URL. The default is the expected Thrd API, but overriding it should be treated as sensitive.
parser.add_argument("--base-url", default="https://api.thrd.email") ... "Authorization": f"Bearer {api_key}" ... requests.get(f"{base_url}/v1/events", headers=headersUse the default Thrd API host unless you have a trusted reason to override it; do not let untrusted instructions choose the base URL.
Incoming email events can repeatedly trigger whatever local command the user configured.
The optional --on-events callback runs a local command when inbox events are received. It avoids shell execution, but it still executes a configured program.
if on_events_cmd:
subprocess.run(on_events_cmd, shell=False, check=False)Use only harmless, owner-approved callback commands and avoid commands with destructive side effects or secret exposure.
The process can keep receiving and acknowledging inbox events until it is stopped.
The daemon continuously polls and persists a cursor until interrupted. This is disclosed as a fallback delivery mechanism, but it is long-running background behavior.
while True: ... requests.get(... "/v1/events" ...) ... save_cursor(cursor_path, cursor)
Run the daemon only when needed, supervise it with normal process controls, and stop it when the agent should no longer monitor the inbox.