Clank Email Monitor
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The email-monitoring purpose is plausible, but the skill asks for mailbox credentials and describes background/auto-reply behavior while providing no reviewed implementation or clear install path.
Review this carefully before installing. Only use it if you can verify the actual email-monitor implementation and package source, and use a dedicated least-privilege email credential. Avoid enabling background monitoring or auto-reply until there are clear controls for approval, logging, stopping, and credential protection.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may be directed to run or install an unreviewed or mismatched executable before granting access to email accounts.
The skill documents a CLI and install flow, but the supplied artifacts state there is no install spec and no code files. The registry slug is also different from the documented install name, creating ambiguity about what command or package a user would actually run.
```bash # Check inbox for new messages email-monitor check ... clawhub install email-monitor ```
Do not run the referenced CLI unless its source, package identity, and implementation are verified and match this skill.
Granting these credentials could allow broad reading of private email and, depending on provider permissions, possibly sending replies.
The skill requires sensitive email account credentials, but registry metadata declares no primary credential, required environment variable, or required config path, and the artifacts do not bound what inbox data is accessed.
"api_key": "your_key" ... "AgentMail API key OR IMAP credentials"
Use only least-privilege app passwords or scoped API keys, restrict monitored inboxes, and verify how credentials and messages are handled before use.
If enabled, the skill could keep accessing mail and send responses without clear per-message review.
The skill describes persistent background monitoring and automatic email responses, but does not specify confirmation requirements, stopping behavior, rate limits, or safeguards for outbound replies.
- **Auto-Reply** – Optional automatic responses for urgent messages ... # Monitor in background (cron) email-monitor watch --interval 5m
Keep background watch and auto-reply disabled until the implementation is reviewed and explicit approval, stop, and logging controls are documented.