Sky - Email for AI Agents

This SKILL.md appears to be a genuine email API for agents, but it omits a key metadata declaration and has operational risks you should consider before installing: - Metadata mismatch: The skill does not declare required env vars, yet the instructions require an API key (SKY_API_KEY) and mention a webhook_secret. Treat these as secrets and expect the skill to need them; ask the publisher to update the metadata to list SKY_API_KEY (and webhook_secret usage) explicitly. - Webhook risk: You'll publish a public webhook_url that receives incoming messages. Ensure your endpoint uses HTTPS, verifies the provided signature (webhook_secret) properly, and rejects unsigned or replayed requests. The SKILL.md references signature verification but doesn't provide an implementation example—request one if you need it. - Auto-send/autonomy: Because the agent can invoke this skill, it could send emails automatically. Define policy or confirmations to prevent accidental or abusive outbound messages and limit recipient scope if necessary. - Protect the API key: Store SKY_API_KEY securely (secret manager), use least-privilege keys if supported (test vs live), rotate keys, and monitor usage/quotas and billing to detect abuse. - Data handling: Treat messages as potentially sensitive. Ensure logs, storage, and any process_emails.sh scripts you use do not leak content to third parties. If you decide to proceed, ask the skill author to fix the metadata to declare SKY_API_KEY (and other secrets), provide concrete webhook signature verification examples, and document limits/permissions for the API key (scopes, rate limits, refund/abuse policy).