ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Email Header Analyzer

v1.4.0

Parses email headers to detect spoofing, phishing, SPF/DKIM/DMARC failures, routing anomalies, and provides forensic analysis of email authenticity.

0· 81·0 current·0 all-time
by@snipercat69

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for snipercat69/edgeiq-email-header-analyzer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Email Header Analyzer" (snipercat69/edgeiq-email-header-analyzer) from ClawHub.
Skill page: https://clawhub.ai/snipercat69/edgeiq-email-header-analyzer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install edgeiq-email-header-analyzer

ClawHub CLI

Package manager switcher

npx clawhub@latest install edgeiq-email-header-analyzer
Security Scan
Capability signals
CryptoCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (email header analysis, SPF/DKIM/DMARC, IP reputation, domain age) align with the code and SKILL.md features. However, some capabilities (IP reputation, domain-age/whois, VirusTotal-like checks) imply network calls and optional API keys even though the skill declares no required environment variables or credentials. That mismatch is worth noting: the skill supports external lookups but doesn't document required API keys or endpoints in requires.env.
!
Instruction Scope
SKILL.md and the code permit reading headers from an arbitrary file path (--file /path/to/raw_headers.txt). That is reasonable for an analyzer, but it also enables reading any filesystem file if the agent or caller supplies such a path. The code imports urllib and performs network lookups (IP reputation, optional VirusTotal-like checks). The SKILL.md does not clearly enumerate which external services will be contacted or which API keys (if any) should be provided, giving the agent broad discretion to perform network requests. The legal notice is present but there's nothing in the runtime instructions that prevents misuse (e.g., auto-invoked by an agent to read sensitive files).
Install Mechanism
No install specification — instruction-only skill with included Python scripts. This is lower install risk (nothing downloaded at install time). The files will be executed locally when invoked; that is expected for a shipped script but means the code should be reviewed before running.
!
Credentials
The package declares no required environment variables, but the code uses EDGEIQ_EMAIL and a license file (~/.edgeiq/license.key) to enable Pro/Bundle features. The licensing logic contains a built-in bypass: if EDGEIQ_EMAIL == 'gpalmieri21@gmail.com' (author's email), the code treats the user as licensed. This is a hidden/backdoor-like behavior (developer convenience) that may be unexpected and undesirable. The skill does not declare other optional env vars it may read (e.g., keys for external reputation services), so the environment/credential surface is under-documented.
Persistence & Privilege
always=false and the skill does not request permission to auto-enable itself or modify other skills. It places and reads a license file in the user's home (~/.edgeiq), which is normal for a license module, but it does not request elevated or global system privileges in the provided files.
What to consider before installing
This skill generally does what its description says, but review the code before running. Specific things to consider: (1) The analyzer will read any file path you pass with --file, so do not pass sensitive files unless you intend to analyze them. (2) The script performs network reputation/age lookups; verify what endpoints it calls (the truncated code suggests optional VirusTotal-style checks) and avoid supplying API keys unless you trust the author. (3) The licensing code grants Pro/Bundle access if EDGEIQ_EMAIL is set to the developer's email (gpalmieri21@gmail.com) or if a license file exists — this is a built-in bypass and may be unexpected. (4) Because the skill runs Python scripts included in the package, run it in an isolated environment (container or VM) if you are unsure of the source. (5) If you need higher assurance, ask the publisher for a complete list of external endpoints and required API keys or have a developer audit the full email_analyzer.py (the shipped file was partially truncated in the bundle; network/exfil behavior could be in the omitted portion). If you want to limit risk: do not grant the agent autonomous invocation for this skill, avoid setting EDGEIQ_EMAIL to the listed developer email, and do not provide API keys unless necessary and reviewed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cnec10pgqzzc2g0ymvj61jx85grjz
81downloads
0stars
4versions
Updated 2d ago
v1.4.0
MIT-0
@snipercat69
latest
Download

Email Header Analyzer

Skill Name: email-header-analyzer Version: 1.0.0 Category: Security / Email Forensics Price: Lifetime: $39 / Optional Monthly: $7/mo (includes all Pro features permanently) Author: EdgeIQ Labs OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Linux

What It Does

Parses and analyzes email headers (RFC 5322) to detect spoofing, phishing indicators, SPF/DKIM/DMARC authentication failures, routing anomalies, and suspicious origin servers. Extracts forensic details from headers to determine if an email is legitimate or a spoof/impersonation attempt.

⚠️ Legal Notice: Only analyze emails you own or have explicit authorization to audit. Not for intercepting or analyzing others' communications without consent.

Features

  • SPF validation — checks Sender Policy Framework authentication result
  • DKIM verification — parses DKIM signature and verification result
  • DMARC analysis — evaluates Domain-based Message Authentication policy
  • From/Reply-To mismatch detection — flags when reply address differs from sender
  • Received headers path analysis — traces email route across mail servers
  • Suspicious routing anomalies — detects forged hops, unexpected relay chain
  • IP reputation lookup — checks originating mail server IP against blocklists
  • Domain age/check — flags newly registered domains in headers
  • Attachment analysis — checks filenames, MIME types, content disposition
  • JSON export — structured forensic report

Tier Comparison

FeatureFreeLifetime ($39)Optional Monthly ($7/mo)
Full header parse✅ (5 emails)✅ (unlimited)✅ (unlimited)
SPF/DKIM/DMARC check
From/Reply-To mismatch
Mail server IP reputation
Domain age lookup
Received path analysis
Attachment metadata
JSON export

Installation

cp -r /home/guy/.openclaw/workspace/apps/email-header-analyzer ~/.openclaw/skills/email-header-analyzer

Usage

Basic header scan (free tier)

python3 email_analyzer.py --header "Received: from mail.example.com..."

Paste raw headers from email (Pro)

EDGEIQ_EMAIL=your_email@gmail.com python3 email_analyzer.py \
  --file /path/to/raw_headers.txt --pro

JSON report output

EDGEIQ_EMAIL=your_email@gmail.com python3 email_analyzer.py \
  --header "$(pbpaste)" --bundle --output email-report.json

As OpenClaw Discord Command

In #edgeiq-support channel:

!emailheader Received: from server... Authentication-Results: spf=fail...
!emailheader --file /path/to/headers.txt --pro

Parameters

FlagTypeDefaultDescription
--headerstringRaw email headers (single line or multi-line)
--filestringPath to text file containing raw headers
--proflagFalseEnable Pro features
--bundleflagFalseEnable Bundle features
--outputstringWrite JSON report to file

Output Example

=== Email Header Analyzer ===
Analyzing headers for: phishing-suspicion@attacker.com

  [1m[91m🔴 SPF FAIL — sender IP not authorized[0m
    SPF Result: fail
    From domain: company.com
    Sender IP: 203.0.113.45 (not in SPF允许列表)
    Recommendation: Block or mark as suspicious

  [1m[93m🟡 DKIM: NONE (no signature found)[0m
    Risk: Email has no cryptographic authentication

  [1m[91m🔴 DMARC POLICY FAIL[0m
    Policy: reject
    Alignment: relaxed
    Result: SPF fail + DKIM none = DMARC fail

  [1m[93m🟡 FROM/REPLY-TO MISMATCH[0m
    From:  legitimate@company.com
    Reply-To: refund@attacker-domain.com
    Risk: Likely phishing or business email compromise

  [1m[92m✔[0m Received path looks normal (3 hops)
    Hop 1: mail.attacker.com [203.0.113.45]
    Hop 2: relay.example.net [198.51.100.23]
    Hop 3: mail.company.com [203.0.113.1]

  Threat Level: HIGH — Multiple authentication failures + Reply-To mismatch

Authentication Results Explained

ResultMeaning
SPF passSender IP is authorized by the domain's SPF record
SPF failSender IP is NOT authorized — likely spoofing
DKIM passEmail digitally signed, signature valid
DKIM failSignature tampered or invalid
DMARC passBoth SPF and DKIM aligned and passing
DMARC failAlignment failed — domain claimed but auth didn't match

Pro Upgrade

Full forensic analysis + IP reputation + domain age + path analysis:

👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo

Support

Open a ticket in #edgeiq-support or email gpalmieri21@gmail.com

🔗 More from EdgeIQ Labs

edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.

  • 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
  • 📸 Screenshot API — URL-to-screenshot API for developers
  • 🔔 uptime.check — URL uptime monitoring with alerts
  • 🛡️ headers.check — HTTP security headers analyzer

👉 Visit edgeiqlabs.com →

Comments

Loading comments...