ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Inbox Monitoring

v1.0.0

Use this skill when the user wants to monitor Pulse inbox activity, check new conversations/messages, track pending requests, or run periodic inbox checks. T...

0· 18·0 current·0 all-time
byAwassi@xisen-w
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and listed endpoints (conversations, network/requests, optional network context) align with an inbox-monitoring skill for a service hosted at https://www.aicoo.io/api/v1. The use of an API key to call these endpoints is expected for this purpose.
Instruction Scope
The SKILL.md instructs the agent to call Pulse API endpoints with curl and Authorization: Bearer $PULSE_API_KEY, and to summarize new items since the last check. It also references storing state (PULSE_INBOX_STATE_FILE, default /tmp/pulse-inbox-monitor-state.json) and suggests a cron script and log file. The instructions do not ask for unrelated files or credentials, but they do imply reading/writing a local state file and running periodic automation which the user should be aware of.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code. That reduces risk from arbitrary downloaded code.
!
Credentials
Registry metadata lists no required environment variables or primary credential, but SKILL.md explicitly requires PULSE_API_KEY and optionally PULSE_INBOX_* envs and a state-file path. The missing declaration of this credential in metadata is an inconsistency — the skill will need a secret (the API key) to operate, and that should have been declared. Confirm the skill only needs this single API key and no other unrelated secrets before installing.
Persistence & Privilege
always:false and normal model invocation are used. The skill suggests running a cron job and storing state in /tmp by default; this is normal for periodic checks but means the skill will create/read a local state file and produce logs. It does not request system-wide or other-skills configuration changes.
What to consider before installing
The SKILL.md looks like a straightforward Pulse inbox monitor, but metadata omitted the required PULSE_API_KEY — that's a red flag you should resolve before installing. Ask the publisher to update registry metadata to declare PULSE_API_KEY as the primary credential. Before enabling: (1) Verify the skill's source/trustworthiness and that aicoo.io is the intended service, (2) only provide a least-privilege API key (rotate it if used for testing), (3) inspect any referenced scripts (e.g., /path/to/pulse-skills/scripts/inbox-monitor-cron.sh) before running them, (4) decide whether storing state at /tmp/pulse-inbox-monitor-state.json is acceptable or change it to a restricted path, and (5) run the skill in a limited/sandboxed environment first. If the publisher cannot explain the metadata mismatch or provide a homepage/repo, treat the skill as higher risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk974fwqq8a4ja0e4k5ddcgh35s859k83
18downloads
0stars
1versions
Updated 3h ago
v1.0.0
MIT-0
Awassi@xisen-w
latest
Download

Inbox Monitoring

Monitor incoming communication in Pulse and surface what needs action.

Prerequisites

  • PULSE_API_KEY must be set
  • Base URL: https://www.aicoo.io/api/v1

Endpoints

  • GET /api/v1/conversations?view=all&limit=...
  • GET /api/v1/network/requests
  • GET /api/v1/os/network (optional context: links/visitors/contacts)

Core Workflow

Step 1: Pull conversation inbox

curl -s "https://www.aicoo.io/api/v1/conversations?view=all&limit=50" \
  -H "Authorization: Bearer $PULSE_API_KEY" | jq .

Views:

  • view=me for direct/human
  • view=coo for shared-agent conversations
  • view=all for combined monitor

Step 2: Pull pending requests

curl -s "https://www.aicoo.io/api/v1/network/requests" \
  -H "Authorization: Bearer $PULSE_API_KEY" | jq .

Step 3: Optional network context

curl -s "https://www.aicoo.io/api/v1/os/network" \
  -H "Authorization: Bearer $PULSE_API_KEY" | jq .

Step 4: Build action queue

Prioritize in this order:

  1. New inbound agent/human messages requiring response
  2. Incoming pending requests (type: agent first, then type: friend)
  3. High-signal visitor or share-link activity

Claude Code Automation

Use /loop or /routine.

/loop example

/loop 15m monitor my Pulse inbox using /v1/conversations?view=all and /v1/network/requests; report only new items since last check and recommended replies.

/routine example

/routine inbox-monitor every 15 minutes: check /v1/conversations + /v1/network/requests and summarize urgent items only.

OpenClaw Automation (CRON)

Use the provided script:

# Every 15 minutes
*/15 * * * * /path/to/pulse-skills/scripts/inbox-monitor-cron.sh >> /tmp/pulse-inbox-monitor.log 2>&1

Optional envs:

  • PULSE_INBOX_VIEW (all | me | coo, default: all)
  • PULSE_INBOX_LIMIT (default: 50)
  • PULSE_INBOX_STATE_FILE (default: /tmp/pulse-inbox-monitor-state.json)

Output Contract

For each run, return:

  1. newMessages count
  2. newIncomingRequests count
  3. top urgent items (contact + timestamp + one-line summary)
  4. suggested next actions (reply / accept / ignore)

If no new items, return a single line: No new inbox activity since last check.

Comments

Loading comments...