Commune — Agent Email Inbox
v1.0.1Create and manage a persistent agent-only email inbox with full send/receive, semantic search, tagging, webhooks, and AI-powered structured data extraction.
⭐ 0· 460·0 current·0 all-time
byShanjai Raj@shanjairaj7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to provide an agent-native email inbox and the runtime docs and CLI expect a COMMUNE_API_KEY — that is coherent with the stated purpose. However, the registry metadata incorrectly lists no required environment variables or primary credential while SKILL.md and scripts explicitly require COMMUNE_API_KEY. This metadata mismatch is misleading and could hide that an external service key is required.
Instruction Scope
SKILL.md and the included CLI focus on the Commune email API (creating inboxes, sending/receiving, webhooks, semantic search, structured extraction). The instructions only reference the Commune API endpoints and the COMMUNE_API_KEY; they do not instruct reading unrelated system files or exfiltrating arbitrary data. They do instruct saving inbox_id to /workspace/memory and configuring webhook endpoints.
Install Mechanism
There is no automated install spec in the registry (instruction-only), which reduces automatic risk. However INSTALL.md recommends installing third-party Python packages (commune-mail, commune-mcp) and provides raw GitHub curl/tar examples referencing other repos. Those manual install steps introduce supply-chain risk: the code relies on external PyPI packages and possibly GitHub tarballs that are not verified in the manifest. The skill includes a local CLI script (scripts/commune.py) that will attempt to import those packages.
Credentials
The runtime and install docs require a single API key (COMMUNE_API_KEY), which is appropriate for an email API. But the registry metadata claims no required env vars, creating an inconsistency. The CLI also looks for credentials.json in multiple locations (skill root, current working dir, ~/.config/commune/credentials.json) — convenient but risky if you place credentials in shared directories. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not claim elevated system privileges, and does not attempt to modify other skills or system-wide configs. It suggests saving inbox_id to a workspace file (manual guidance) but does not itself persist configuration beyond local usage. Autonomous invocation is allowed by default but is not an extra privilege of this skill.
What to consider before installing
This skill appears to implement what it claims — an agent-native email API — but there are a few red flags you should address before installing: 1) Registry metadata incorrectly says no env vars are required, but the CLI and docs require COMMUNE_API_KEY — treat that as required. 2) The source/homepage are missing; verify the publisher and the official project (commune.email) before trusting the key or installing packages. 3) INSTALL.md asks you to pip install commune-mail / commune-mcp and references raw GitHub tarball installs; confirm those packages/repositories are legitimate on PyPI/GitHub to avoid supply-chain risks. 4) The CLI looks for credentials.json in several common locations — avoid storing unrelated secrets in those locations and prefer setting COMMUNE_API_KEY as an environment variable with least privilege. 5) Because the skill can send arbitrary emails, test it in an isolated environment, review webhook handling (verify HMAC secrets), and avoid using high-privilege or long-lived keys until you confirm the service and packages are authentic. If you can, ask the publisher for a canonical source repository or homepage and verify the PyPI package names and GitHub repo before proceeding.Like a lobster shell, security has layers — review code before you run it.
agentvk97ezey07j1cfm2y9a5x9gncyx81gyxjapivk97ezey07j1cfm2y9a5x9gncyx81gyxjemailvk97ezey07j1cfm2y9a5x9gncyx81gyxjinboxvk97ezey07j1cfm2y9a5x9gncyx81gyxjlatestvk97ezey07j1cfm2y9a5x9gncyx81gyxj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.