ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Manage your tuta.com account

v1.0.0

Send, read, and manage emails via Tuta (formerly Tutanota) encrypted email service. Use when user asks to send emails, check inbox, read mail, or do any emai...

0· 190·0 current·0 all-time
byJay@aididmyhomework

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for aididmyhomework/tutacom.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Manage your tuta.com account" (aididmyhomework/tutacom) from ClawHub.
Skill page: https://clawhub.ai/aididmyhomework/tutacom
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tutacom

ClawHub CLI

Package manager switcher

npx clawhub@latest install tutacom
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The script implements login, inbox, read, and send functionality against https://app.tuta.com/rest, which matches the skill description. However the registry metadata claims no required environment variables or config paths, while SKILL.md instructs the user to store TUTA_EMAIL and TUTA_PASSWORD in openclaw.json under skills.entries.tuta-mail.env. That metadata/requirements mismatch is a clear incoherence.
!
Instruction Scope
Runtime instructions tell the agent to save a session file containing access token and decrypted keys to /tmp/tuta_session.json and to store credentials in openclaw.json (agent config). Saving decrypted keys to disk and instructing to place plaintext credentials into the agent config increases exposure and is not declared in the skill metadata. The instructions also require installing Python crypto packages and use an undocumented REST API — understandable for this functionality but worth noting.
Install Mechanism
This is an instruction-only skill with an included Python script. There is no formal install spec; the SKILL.md recommends pip installing dependencies. That is a moderate-risk, common pattern for script-based skills but means code will be executed locally and dependencies installed at runtime.
!
Credentials
The client legitimately needs the user's Tuta email and password, which the SKILL.md requests as TUTA_EMAIL and TUTA_PASSWORD. However the registry metadata lists no required env vars or primary credential and declares no required config paths. The SKU asks to persist decrypted passphrase_key and group keys in the session file (sensitive material). The credential storage and lack of metadata declaration are disproportionate/ inconsistent.
Persistence & Privilege
always:false and model invocation allowed (defaults) — normal. The SKILL.md asks the user to write credentials into openclaw.json (agent config) and to persist a session file under /tmp; writing its own session file is normal for a client, but storing sensitive decrypted keys in a broadly accessible file and modifying agent config without the metadata declaring config usage increases the risk profile.
What to consider before installing
This skill mostly does what it says (a Tuta client), but there are multiple red flags you should resolve before installing: 1) The registry metadata does not declare the TUTA_EMAIL/TUTA_PASSWORD env vars or the config path even though SKILL.md instructs you to store credentials in openclaw.json — ask the publisher to correct the metadata. 2) The script and instructions persist decrypted keys and the passphrase_key in a session JSON file; avoid storing plaintext credentials or decrypted keys where other processes or users can read them. 3) The SKILL.md suggests pip-installing crypto libraries; review those installs and prefer using a virtualenv or sandboxed environment. 4) The included Python file (as provided) contains a likely syntax/truncation error during session loading — ask for a clean, reviewed release and verify the code before running. 5) Because this uses an undocumented API, the client may break or behave unexpectedly; prefer official/ documented integrations when possible. If you still want to use it, test in an isolated environment, don't reuse your primary password (consider app-specific password if supported), and request that the author: (a) declare required env/config in the registry metadata, (b) remove writing raw decrypted keys to disk or protect them with OS-level permissions/encryption, and (c) provide a signed, reviewed release.

Like a lobster shell, security has layers — review code before you run it.

latestvk978adr6sjj7ej8mn8rqwzx2bd832h0p
190downloads
0stars
1versions
Updated 23h ago
v1.0.0
MIT-0
Jay@aididmyhomework
latest
Download

Tuta Mail

Interact with Tuta (Tutanota) encrypted email via the undocumented REST API at https://app.tuta.com/rest/. All content is E2E encrypted — the client handles crypto locally.

Prerequisites

Python 3 with: requests, pycryptodome, bcrypt, argon2-cffi.

Install if missing:

python3 -m pip install --break-system-packages requests pycryptodome bcrypt argon2-cffi

Credentials

Store in openclaw.json under skills.entries.tuta-mail.env:

  • TUTA_EMAIL — Tuta email address
  • TUTA_PASSWORD — account password

Usage

All commands via scripts/tuta_client.py (resolve path relative to this skill directory).

Login (always do first)

python3 scripts/tuta_client.py login \
  --email "$TUTA_EMAIL" --password "$TUTA_PASSWORD" \
  --session-file /tmp/tuta_session.json

Saves session (access token + decrypted keys) to the session file. Reuse until it expires.

List Inbox

python3 scripts/tuta_client.py inbox \
  --session-file /tmp/tuta_session.json --count 20

Returns JSON array with id, subject, sender, date, unread for each mail.

Read Email

python3 scripts/tuta_client.py read \
  --mail-id "listId/elementId" \
  --session-file /tmp/tuta_session.json

Use the id from inbox listing. Returns decrypted subject, sender, date, body.

Send Email (External Recipients)

python3 scripts/tuta_client.py send \
  --to "recipient@example.com" \
  --subject "Subject line" \
  --body "Email body text" \
  --sender-name "Display Name" \
  --session-file /tmp/tuta_session.json

Sends non-confidential email to external (non-Tuta) recipients. Creates draft then sends.

Workflow

  1. Login once per session → cache /tmp/tuta_session.json
  2. If any command returns auth error (401/403), re-login
  3. For inbox checks: login → inbox → optionally read specific mails
  4. For sending: login → send

Limitations

  • Tuta-to-Tuta emails: Sending to other Tuta users requires public key exchange (not yet implemented). Reading Tuta-to-Tuta received mail works.
  • Attachments: Not yet supported for sending.
  • API versioning: The v header is set to 84; may need updating if Tuta changes their API version.
  • Newer accounts: Argon2id key derivation is supported but less tested than bcrypt (legacy).

Comments

Loading comments...