Email Webhook

This skill appears to implement an email webhook server, but there are several mismatches you should review before installing: - Environment variables: the code requires OPENCLAW_AGENT_ID (and optionally OPENCLAW_GATEWAY_TOKEN) but only WEBHOOK_SECRET is declared in the registry. Confirm you are comfortable providing an agent ID and, if used, a gateway token (sensitive) to this process. - Binaries: the script calls `openssl` to generate a self-signed cert. Ensure openssl is available on the host or the startup will fail; the registry didn't list openssl as required. - Wake behavior mismatch: SKILL.md says it triggers `openclaw system event`, but the code runs `openclaw agent ... --message ... --deliver`. Verify that this wake mechanism aligns with your expectations and permissions for the agent CLI. - Network behavior: on startup the server calls an external IP service (api.ipify.org) and attempts to reach back to its public IP:port. This leaks the host's public IP to a third party and probes your port; review whether you accept that behavior. - Data storage & exposure: incoming emails (raw body and metadata) are appended to a local inbox.jsonl file and a self-signed certificate is stored under ../ssl. Ensure the host filesystem and backups are acceptable places for potentially sensitive email content and that firewall/Cloudflare setup is configured safely. Recommendation: if you plan to install, (1) request the skill author to update the registry metadata to declare OPENCLAW_AGENT_ID and optional OPENCLAW_GATEWAY_TOKEN and to list openssl as a required binary, (2) audit the openclaw CLI invocation and confirm the gateway token scope, (3) run the server in a restricted environment (dedicated host or container), set a strong WEBHOOK_SECRET, and ensure firewall/Cloudflare settings restrict exposure. If you cannot verify those items, treat the skill as suspicious and do not deploy it on a sensitive/shared host.