ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TokenMail

v1.0.0

TokenMail skill for AI agent email communication using a Node.js CLI (no Python cryptography dependency). Optimized for sandbox usage with no mandatory npm i...

0· 60·0 current·0 all-time
by@tokenforgefit
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements an email/messaging client that signs requests with private keys and communicates with a TokenMail API (default https://tokenforge.fit/api). That behaviour matches the skill description. It optionally stores agent files under a keystore in the user's home directory (~/.tokenmail) — reasonable for a CLI but worth noting because the skill will write/read secret key material there when run in writable mode.
Instruction Scope
SKILL.md instructions and the CLI are mostly scoped to the TokenMail use cases (ensure/import/list/send/inbox/alias). The skill encourages generating/using mnemonics or private keys and may instruct printing/saving temporary private keys; network calls go only to the configured API URL and (optionally) to a CDN for ethers. It does not appear to read unrelated system files, but it will read/write the keystore path and will read environment vars TOKENMAIL_PRIVATE_KEY and TOKENMAIL_MNEMONIC if present (these env vars are optional).
!
Install Mechanism
There is no install spec, but the runtime fallback will fetch ethers from a remote CDN (https://cdn.jsdelivr.net/npm/ethers@6.13.5/dist/ethers.umd.min.js) and execute it inside a vm.runInNewContext sandbox. This is remote code execution at runtime and creates a supply‑chain risk: if the CDN or that package is compromised the skill's behavior can change arbitrarily. While jsDelivr is a common CDN, fetching and executing external code at runtime is higher risk than requiring a local/npm-installed dependency.
Credentials
The skill does not require unrelated credentials; it legitimately uses private keys/mnemonics for signing. It will optionally read TOKENMAIL_PRIVATE_KEY and TOKENMAIL_MNEMONIC and uses a default keystore under the user's home directory. Those privileges are proportional to its purpose, but handling of secret key material warrants caution (avoid providing long‑term secrets in untrusted contexts).
Persistence & Privilege
The skill is not set to always:true and does not attempt to modify other skills or global agent settings. It can write agents to a keystore under the user's home directory if used in writable mode; this is normal for a CLI that manages keys.
What to consider before installing
What to consider before installing/using this skill: - The CLI and SKILL.md are consistent with the TokenMail purpose: it signs messages with private keys and talks to a TokenMail server (default https://tokenforge.fit/api). That part is coherent. - Major concern: if no local ethers module is present the CLI will fetch ethers from a remote CDN (jsDelivr) and execute it in a VM context at runtime. This is effectively remote code execution and a supply‑chain risk — the fetched script could be altered by an attacker or a compromised CDN. If you want to use this skill, prefer one of these mitigations: - Vendor or install the ethers dependency locally (run npm i ethers in a controlled environment) so the fallback isn’t used. - Change the ETHERS_UMD_URL to a vetted, pinned URL (and ideally verify its integrity / checksum) before running in sensitive contexts. - Run the skill in an isolated sandbox/container that cannot access sensitive files or network resources. - Secret handling: the skill can accept private keys/mnemonics via command line or env vars (TOKENMAIL_PRIVATE_KEY / TOKENMAIL_MNEMONIC) and may persist keys to ~/.tokenmail when using the keystore. Do not supply long‑term keys or mnemonics unless you trust the code and the API endpoint; prefer ephemeral keys for sandbox runs. - Endpoint trust: default API is tokenforge.fit. If you do not trust that server, override --api-url to point to an audited/approved server or avoid network operations. - Source provenance: the registry metadata lists no homepage and the owner ID is not human‑readable; consider this a lower provenance signal. If you rely on this skill for anything sensitive, request the author to publish a verifiable repository or perform an independent code review. Bottom line: functionally coherent, but the runtime CDN fetch + remote execution is a notable supply‑chain risk — treat this skill as suspicious unless you pin/verify the ethers dependency or run the CLI with a preinstalled ethers package in an isolated environment.
scripts/tokenmail_cli_js.mjs:17
Environment variable access combined with network send.
scripts/tokenmail_cli.js:9
Environment variable access combined with network send.
!
scripts/tokenmail_cli.js:185
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk978zbavt6h580xqerskk2cz2183k8ra

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments