Thrd Skill
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for a dedicated agent email inbox, but it grants real email/account authority and includes a long-polling helper, so the Thrd API key should be tightly scoped and protected.
This skill does not show artifact-backed malicious behavior. Before installing, treat THRD_API_KEY like a real account credential, use a dedicated agent inbox rather than a personal mailbox, require approval for outbound email or billing-related actions if appropriate, avoid untrusted base URLs, and supervise the polling daemon if you run it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
With a valid API key, the agent can send emails or replies that affect recipients, account reputation, and usage limits.
The documented API allows the agent to send and reply to email from the dedicated inbox. This is central to the skill's purpose and disclosed, but it is an externally visible action.
**POST** `https://api.thrd.email/v1/reply` **POST** `https://api.thrd.email/v1/send`
Use a dedicated inbox as recommended, set clear approval rules for outbound email, and monitor usage and delivery status.
If an untrusted instruction changes the base URL, the Thrd API key could be exposed to a non-Thrd server.
The polling helper sends the THRD_API_KEY bearer token to the configured base URL. The default is the expected Thrd API endpoint, but overriding it would send the token to that host.
parser.add_argument("--base-url", default="https://api.thrd.email") ... "Authorization": f"Bearer {api_key}"Do not override --base-url unless it is a trusted Thrd endpoint, and keep THRD_API_KEY in a secret manager with rotation available.
If left running, the helper can continue consuming and acknowledging inbox events until stopped.
The fallback polling helper is intentionally long-running and continues polling until interrupted. It is disclosed in SKILL.md as a fallback delivery strategy.
while True:
Run the daemon only when needed, supervise it like a background service, and stop it when the agent should no longer process mail.
A future install could pull a newer requests release than the author tested.
The dependency is specified with a lower bound rather than an exact pin or lockfile. This is common for a small Python helper, but installs can resolve to newer package versions.
requests>=2.31.0
Install in an isolated environment and consider pinning dependencies if reproducibility is important.
A poorly configured webhook receiver could be spoofed into polling or acting on unexpected wake events.
The optional wake webhook creates provider-to-runtime communication. The artifacts document signature fields, which is appropriate, but the receiving runtime still needs to validate them.
When configured, THRD sends signed `inbox.pending` pings ... `x-thrd-signature: v1=<hex_hmac_sha256(timestamp + "." + raw_body)>`
Use HTTPS webhook endpoints, verify Thrd signatures and timestamps, and disable the webhook when it is not needed.