Send email using MailChannels Email API
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mailchannels Version: 1.0.0 The skill bundle is benign. It provides instructions and metadata for integrating with the MailChannels Email API, requiring `MAILCHANNELS_API_KEY` and `MAILCHANNELS_ACCOUNT_ID` for its stated purpose, and `curl` for API interaction. There is no evidence of prompt injection, data exfiltration, malicious execution, persistence, or obfuscation in `SKILL.md` or `_meta.json`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could send unintended emails through the configured MailChannels account.
The skill documents endpoints for sending outbound email through the user's MailChannels account. This is the stated purpose, but outbound sends can have real external impact.
- Send: `POST /send` - Send async: `POST /send-async`
Use this only where outbound email sending is intended, and instruct the agent to draft and get user confirmation before sending.
Anyone or any agent workflow with access to the API key may be able to send email for the account.
The skill requires MailChannels credentials that can authorize email sending. This is expected for the integration and is disclosed.
Required: - `MAILCHANNELS_API_KEY` (send in `X-Api-Key`) - `MAILCHANNELS_ACCOUNT_ID`
Use a scoped or dedicated API key if available, protect it as a secret, rotate it if exposed, and limit sender domains with the documented DNS lockdown.
A misconfigured webhook could let untrusted or malformed events trigger agent-side processing or incorrect delivery-state updates.
The skill routes an external provider webhook into an agent action. It also describes signature and account validation, which are important safeguards.
Map `/hooks/<path>` to an agent action via `hooks.mappings` and optional transform. 3) Enroll the public endpoint in MailChannels `/webhook?endpoint=...`.
Expose only a narrow webhook action, enforce the documented signature, freshness, and `customer_handle` checks, and avoid routing unvalidated webhook bodies into broad agent actions.
Delivery logs may retain recipient and delivery metadata longer than users expect.
The skill recommends persisting raw delivery events that can include email addresses and message correlation data.
Common fields: `email`, `customer_handle`, `timestamp`, `event`, `request_id`. Operational tips: respond 2xx quickly, process async, store raw events, dedupe retries.
Minimize retention of raw events, redact where possible, protect the storage location, and keep persisted webhook data separate from unrelated agent memory.
Install-time prompts or registry summaries may not make the credential requirement obvious even though the SKILL.md does.
Registry metadata under-declares setup needs compared with SKILL.md, which requires `MAILCHANNELS_API_KEY`, `MAILCHANNELS_ACCOUNT_ID`, and `curl`.
- Required env vars: none - Env var declarations: none - Primary credential: none
Review SKILL.md before use and configure the required MailChannels credentials manually; the publisher should align registry metadata with the skill's declared requirements.