ClawHub

Openclaw

v1.0.5

Give an AI agent a real inbox and outbound email using Robotomail. Use this skill when the user asks you to send email, check inbox, read messages, reply to...

1· 214·0 current·0 all-time
by@johnjoubert
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The SKILL.md describes an email integration (sending, receiving, webhooks, SSE, domains) and the only required credential is ROBOTOMAIL_API_KEY, which is appropriate for the stated purpose. Minor inconsistency: registry metadata lists the skill name as "Openclaw" while the SKILL.md and slug use "robotomail"; the source/homepage are unknown which reduces provenance/trust but does not contradict functionality.
Instruction Scope
Runtime instructions are limited to calling Robotomail HTTP endpoints (list mailboxes, send/read messages, manage domains/webhooks, SSE). They do not instruct reading unrelated system files or unrelated environment variables. The webhook verification examples reference storing a webhook secret in an environment variable (e.g., WEBHOOK_SECRET) but that variable is not declared as required by the skill; this is a documentation/example mismatch rather than explicit exfiltration.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to be written/executed locally, which is the lowest-risk install model.
Credentials
The single required env var (ROBOTOMAIL_API_KEY) is proportional to an API-based email integration. No unrelated credentials or filesystem config paths are requested. Note: webhook examples mention a WEBHOOK_SECRET (used to verify inbound webhooks) but that is an implementation detail and not declared as required by the skill.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system settings, and has no declared persistence requirements. Autonomous invocation is enabled (default) which is normal for skills; consider that an agent with this key can send/receive email on behalf of the account.
Assessment
This skill appears to be what it says: an API-first Robotomail integration that only needs a Robotomail API key. Before installing, consider: (1) provenance — the publisher and homepage are unknown and the registry name mismatches the SKILL.md (robotomail vs Openclaw), so verify the source if you need stronger trust; (2) privilege — anyone with the provided ROBOTOMAIL_API_KEY can send and read mail for that account, so prefer creating a scoped API key limited to specific mailboxes or minimal scopes; (3) webhooks — if you configure webhooks, save the webhook secret securely (examples reference WEBHOOK_SECRET but the skill doesn't declare it); (4) data sensitivity — the agent will be able to read emails and attachments (PII), so only enable this skill for agents you trust and consider auditing outbound messages and rate limits; (5) review Robotomail's privacy and terms at robotomail.com before providing credentials. If you need higher assurance, ask the publisher for a verifiable homepage or source repository and prefer scoped keys instead of a full-account key.

Like a lobster shell, security has layers — review code before you run it.

latestvk979dcygz5jc79fs5cs0dhbzph84kcyw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvROBOTOMAIL_API_KEY
Primary envROBOTOMAIL_API_KEY

Comments