Ethermail
v1.1.0Access Web3 email via EtherMail using WalletConnect. Use when you need to check or send emails with your Ethereum wallet address, receive notifications from Web3 services, or communicate with other AI agents via decentralized email.
⭐ 0· 1.3k·0 current·0 all-time
byJu Chun Ko@daaab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to provide Web3 email access via WalletConnect and includes a Puppeteer script to extract the WalletConnect URI; the puppeteer dependency and the extract-wc-uri.js script are coherent with that purpose.
Instruction Scope
SKILL.md instructs the user/agent to provide a PRIVATE_KEY and to run an external 'walletconnect-agent' skill to perform signing. The skill does not declare any required env vars but the runtime instructions explicitly use PRIVATE_KEY; that mismatch is a scope/visibility issue. The instructions also direct automated browser navigation and clicking, which is expected for this purpose but requires careful isolation because it triggers auth flows.
Install Mechanism
There is no install spec (instruction-only), which lowers install risk, but package.json and a dependency on puppeteer are present. Puppeteer is an expected npm dependency for browser automation; no downloads from anonymous URLs or extracts are used. Consumers should be aware the skill expects an npm environment to install puppeteer if they run the script.
Credentials
The SKILL.md demonstrates exporting PRIVATE_KEY and running the walletconnect-agent which will sign messages with that key. The skill metadata lists no required environment variables or primary credential, so explicit handling of a private key is not declared in the manifest. Requesting access to a raw private key is high privilege and should be justified and limited (e.g., ephemeral dedicated wallet only).
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not attempt to modify other skills or system configuration. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges here.
What to consider before installing
Key things to consider before installing/using this skill:
- Source verification: the skill lists no homepage and the source is unknown. Confirm the author/owner and that you're comfortable installing code from this publisher before running anything.
- Private key risk: the instructions show using export PRIVATE_KEY and running a separate walletconnect-agent to automatically sign personal_sign requests. That requires exposing a private key to software — only use an isolated, disposable wallet with no funds you care about. Do NOT use your primary or large-balance keys.
- Inspect walletconnect-agent: the skill depends on a separate 'walletconnect-agent' skill (not included). Review that agent's code and behavior before giving it any credentials or private keys; it performs sensitive signing actions.
- Run in isolation: run the Puppeteer script and any wallet agent inside an isolated environment (container or VM) and with sandboxing enabled, as recommended. Avoid disabling the browser sandbox.
- Prefer safer UX: use the Telegram Mini App path if possible (it avoids giving raw private keys to scripts). If you must use automation, prefer hardware-backed signing workflows or manual approval flows rather than exporting private keys to env vars.
- Minimal testing: test first with an empty/dedicated test account and confirm the entire flow behaves as you expect (no unexpected network calls, no logging of private data).Like a lobster shell, security has layers — review code before you run it.
latestvk977jmjcfnanz4vt4v0xw5mx4580rcmp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.