ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

email-skill

v1.0.3

Upgraded to https://clawhub.ai/tyxiang/ai-agent-email-skill and no longer maintains this version.

0· 80·0 current·0 all-time
by@tyxiang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is named 'email-skill' but the SKILL.md only contains a one-line deprecation/upgrade notice and no capabilities, APIs, or required credentials. Someone expecting an email integration would legitimately need SMTP/API credentials and runtime instructions; those are absent, so the declared purpose does not match the actual contents.
!
Instruction Scope
The runtime instructions are effectively empty (just a name and a note that this version is deprecated). There are no commands, no guidance on what the agent should do, and no references to files, env vars, or external endpoints. This makes the skill non-functional and ambiguous about intended behavior.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes risk from downloads or executed installers.
Credentials
The skill requests no environment variables, credentials, or config paths. There is no evidence of disproportionate access requests.
Persistence & Privilege
The skill does not request always:true, does not modify configs, and has default invocation settings. There are no indications it would gain elevated or persistent privileges.
What to consider before installing
This package appears to be a deprecated placeholder pointing to a new location and does not implement any email functionality. It is not harmful but also not useful: installing it won't provide an email skill. If you need an email integration, install the maintained skill at the URL in the description and verify what credentials (SMTP/API keys) it requires before granting them. If you expected this skill to work, treat it as broken/abandoned rather than malicious. If you want a fuller security evaluation, provide the newer skill's SKILL.md or any code files so those can be reviewed.

Like a lobster shell, security has layers — review code before you run it.

latestvk977914h9mfp3p69qx84qkrm41847kvx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments