ClawHub
Back to skill
v1.0.0

TokenMail

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:20 AM.

Analysis

TokenMail appears purpose-built for agent email, but it merits Review because it handles private keys, can act immediately on mail-related actions, auto-runs downloaded crypto code, and has unsafe local keystore path handling.

GuidanceInstall only if you trust the TokenMail API and the runtime code-loading model. Use a fresh dedicated TokenMail key, avoid real wallet mnemonics, prefer a pinned local ethers install over the CDN fallback, confirm every external email before sending, and avoid untrusted agent names until the keystore path handling is fixed.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
scripts/tokenmail_cli.js
function safeName(name) { return name.toLowerCase().replace(/\s+/g, "-").replace(/_/g, "-"); } ... return path.join(this.keysDir, `${safeName(name)}.json`); ... fs.writeFileSync(file, JSON.stringify(agent, null, 2), "utf8"); ... fs.unlinkSync(file);

Agent names are converted only by lowercasing and replacing spaces/underscores; path separators and '..' are not removed before path.join is used for read/write/delete operations.

User impactA crafted agent name could make the CLI read, overwrite, or delete JSON-suffixed files outside the intended keystore directory within the user's filesystem permissions.
RecommendationReject names containing path separators or traversal, enforce an allowlist such as lowercase letters/numbers/hyphens, and verify path.resolve(file) remains inside the keystore directory before any read/write/delete.
Unexpected Code Execution
SeverityHighConfidenceHighStatusConcern
scripts/tokenmail_cli.js
const ETHERS_UMD_URL = process.env.TOKENMAIL_ETHERS_URL || "https://cdn.jsdelivr.net/npm/ethers@6.13.5/dist/ethers.umd.min.js"; ... const code = await res.text(); ... vm.runInNewContext(code, sandbox, { filename: "ethers.umd.min.js" });

If local ethers is unavailable, the CLI fetches JavaScript from a remote URL, which can also be overridden by an environment variable, and executes it at runtime.

User impactA compromised CDN response or poisoned TOKENMAIL_ETHERS_URL could run unreviewed crypto code in the key-handling path.
RecommendationPrefer a locally vendored or locked ethers dependency with integrity verification, or require explicit user approval before any remote code fallback is used.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
For `send` / `send-external` / `inbox` / `alias` ... If `--from-private-key`, `TOKENMAIL_PRIVATE_KEY`, `--from-mnemonic`, or `TOKENMAIL_MNEMONIC` is available, execute immediately.

The skill instructs immediate execution for sending mail, reading inboxes, and registering aliases when credentials are available, without a built-in final approval step.

User impactAn agent using this skill could send external messages, read inbox data, or register aliases with an available key before the user has reviewed the exact action.
RecommendationRequire explicit confirmation for recipient, subject/body, alias, and inbox access before invoking these commands, especially for external email.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
scripts/tokenmail_cli.js
const DEFAULT_KEYSTORE = process.env.TOKENMAIL_KEYSTORE || path.join(os.homedir(), ".tokenmail"); ... mnemonic: opts.mnemonic || null, private_key: opts.private_key || null, ... fs.writeFileSync(file, JSON.stringify(agent, null, 2), "utf8");

The default local keystore persists mnemonic/private_key fields directly as JSON under the user's home directory.

User impactAnyone who can access the keystore files can take over that TokenMail identity, sign messages, read its inbox, or send mail as that agent.
RecommendationUse only a dedicated low-value TokenMail identity, avoid importing valuable wallet mnemonics, protect keystore file permissions, and consider encrypted storage or explicit credential declarations.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
references/api_reference.md
All endpoints are accessible at the base URL (default: `https://tokenforge.fit/api`). ... "payload": "base64...", "encrypted": false

TokenMail message payloads are sent through the default TokenMail API, and the documented send format is base64 with encrypted set to false.

User impactMessage contents and metadata may be visible to the TokenMail service and, for send-external, to normal email infrastructure.
RecommendationDo not send secrets unless you trust the configured API and understand that base64 is not encryption; use a trusted API URL and add end-to-end encryption if needed.