ClawHub

Snail Mail

v1.0.2

A slow-channel inbox for leaving your operator important messages. Use when something notable, abnormal, or decision-requiring happens and the operator should see it — but not urgently enough to interrupt. Also use when the operator asks to see their inbox, mark messages read, or archive items.

0· 781·0 current·0 all-time
byMemeothy@dvdegenz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation. The script provides an on-disk inbox (messages.json) and CLI for add/list/read/archive/render which fits the stated slow-channel inbox purpose. Required binary (node) and env vars (workspace, channel) are appropriate for local storage and presentation.
Instruction Scope
SKILL.md instructs the agent to run the included Node script for all inbox operations and to check unread urgent items during heartbeats. The instructions only reference the workspace path and OPENCLAW_CHANNEL (both declared) and do not ask the agent to read unrelated files or transmit data externally. The guidance to not add commentary when rendering is an operational preference, not a security issue.
Install Mechanism
There is no install spec (instruction-only with an included script). That keeps risk low: nothing is downloaded or installed automatically. The single included script is plain Node.js code with no external network calls or hidden install steps.
Credentials
The declared required env vars (OPENCLAW_WORKSPACE and OPENCLAW_CHANNEL) are reasonable for storage and channel auto-formatting. Minor inconsistency: the code falls back to process.env.HOME and allows an empty OPENCLAW_CHANNEL (defaults to text rendering); nevertheless requiring the env vars in metadata is not harmful but slightly disproportionate to the script's defaults.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system-wide settings. It writes only to a workspace subdirectory (inbox/messages.json). Autonomous invocation is allowed (platform default) and appropriate here since the skill is meant to be checked during heartbeats.
Assessment
This skill is a simple, local inbox implemented in Node and appears to do only what it says: write/read messages at {workspace}/inbox/messages.json and render them for different channels. Before installing, consider: (1) choose a safe OPENCLAW_WORKSPACE location (don't point it at a directory with sensitive secrets) because messages are stored in plaintext JSON; (2) OPENCLAW_CHANNEL controls render formatting—set it appropriately; (3) the skill will potentially run during automated heartbeats and surface urgent unread items, so be comfortable with the agent proactively notifying you; (4) the metadata lists the env vars as required though the script has sensible fallbacks—this is a minor inconsistency but not malicious; and (5) if you want absolute assurance, inspect the included scripts/inbox.js file yourself (it contains no network calls or obfuscated code). Overall the package is coherent and low-risk for typical use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9787k62rez85hs1eccxtr5pc981098s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvOPENCLAW_WORKSPACE, OPENCLAW_CHANNEL

Comments