ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clank Email Monitor

Monitor email inboxes for important messages and get alerts. Works with AgentMail, Gmail, and any IMAP inbox.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 28 · 0 current installs · 0 all-time installs
by@t3mr0i
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description match the behavior (email monitoring, alerts, auto-reply). However the SKILL.md requires AgentMail API keys or IMAP credentials and a config file at ~/.email-monitor/config.json, while the registry metadata lists no required env vars, no required config paths, and no primary credential. That mismatch is unexplained and disproportionate.
!
Instruction Scope
The runtime instructions tell the user/agent to create a config file containing API keys/IMAP credentials, run/install an 'email-monitor' CLI, run a background watch job, and optionally perform auto-replies and send notifications to external channels (Telegram, email). Those actions involve collecting and persisting sensitive credentials and sending outbound messages — all of which are broader than the registry claims and could be abused if not implemented carefully.
Install Mechanism
There is no install spec in the registry, yet SKILL.md suggests installing via 'clawhub install email-monitor' and requires Node.js >= 20. Because no code or package was included for review, the actual install source, what gets written to disk, and what network endpoints the installer contacts are unknown. This increases risk but may be legitimate if the package is available from a trusted repository.
!
Credentials
The skill requires sensitive secrets (AgentMail API key or IMAP/SMTP credentials) and will persist them to ~/.email-monitor/config.json according to the instructions, but the registry metadata did not declare any required credentials or config paths. The SKILL.md also references notifications via Telegram or email which may require additional tokens. Requesting and storing these secrets without explicit declaration or guidance on secure storage is disproportionate.
Persistence & Privilege
The skill is not forced-always and does not request special platform privileges. However it instructs creating a persistent config file in the user's home that contains credentials and may run persistent background monitoring (cron/watch). Persisting secrets locally increases the long-term blast radius if the package or host is compromised.
What to consider before installing
This skill's SKILL.md clearly requires API keys or IMAP/SMTP credentials and asks you to create a config file in your home directory, but the registry metadata does not declare those requirements — that's an inconsistency you should resolve before installing. Before you proceed: 1) Ask the publisher for a proper install spec and the exact package/source for 'clawhub install email-monitor'. 2) Confirm where credentials are stored and whether they are encrypted or stored in plaintext; prefer OS keyrings or environment-scoped secrets instead of a plaintext JSON file. 3) Inspect the package contents (or run in an isolated VM/container) before giving credentials. 4) Limit the credentials you provide (use least privilege, create dedicated test account or read-only IMAP where possible) and avoid providing master account credentials. 5) Disable or carefully review auto-reply behavior to prevent accidental outgoing messages. 6) If you rely on Telegram/email notifications, verify what tokens the skill needs and why. If the publisher cannot explain the discrepancies (missing required env/config declarations and missing install details), do not install.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
agentmailvk97avayx4btk41anmghh3k399x83sa2wemailvk97avayx4btk41anmghh3k399x83sa2wlatestvk97avayx4btk41anmghh3k399x83sa2wmonitoringvk97avayx4btk41anmghh3k399x83sa2w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis

SKILL.md

Email Monitor Skill

Monitor your email inboxes and get alerts for important messages.

Features

  • Multi-Inbox Support – Monitor multiple email addresses
  • Keyword Alerts – Get notified when specific keywords appear
  • Priority Detection – Automatically prioritize important emails
  • Digest Mode – Daily/weekly email summaries
  • Auto-Reply – Optional automatic responses for urgent messages

Usage

# Check inbox for new messages
email-monitor check

# Set up keyword alerts
email-monitor alert add "urgent" "invoice" "deadline"

# Generate daily digest
email-monitor digest --daily

# Monitor in background (cron)
email-monitor watch --interval 5m

Installation

clawhub install email-monitor

Configuration

Create ~/.email-monitor/config.json:

{
  "inboxes": [
    {
      "name": "work",
      "provider": "agentmail",
      "api_key": "your_key",
      "inbox_id": "you@agentmail.to"
    }
  ],
  "alerts": {
    "keywords": ["urgent", "invoice", "deadline"],
    "notify": ["telegram", "email"]
  },
  "digest": {
    "enabled": true,
    "time": "08:00",
    "timezone": "UTC"
  }
}

Requirements

  • Node.js >= 20
  • AgentMail API key OR IMAP credentials
  • OpenClaw (for notifications)

License

MIT

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…