ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fastmail

v1.0.1

Manages Fastmail email and calendar via JMAP and CalDAV APIs. Use for emails (read, send, reply, search, organize, bulk operations, threads) or calendar (events, reminders, RSVP invitations). Timezone auto-detected from system.

0· 1.8k·1 current·3 all-time
by@witooh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill explicitly implements JMAP (email) and CalDAV (calendar) and requires Fastmail credentials, which fit the stated purpose. However the registry metadata claims no required env vars, 'instruction-only', and no required binaries, while SKILL.md and the code require environment variables (FASTMAIL_API_TOKEN, FASTMAIL_USERNAME, FASTMAIL_PASSWORD) and the README/SKILL.md instructs installing and running with Bun. The mismatch between declared metadata and actual requirements is incoherent and reduces trust.
Instruction Scope
SKILL.md and the CLI code instruct the agent to run local commands (bun install, bunx fastmail ...) and to read environment variables for credentials. Those actions are appropriate for a Fastmail integration. The instructions do not ask the agent to read unrelated system files or to exfiltrate data to unknown endpoints; network calls target Fastmail JMAP and CalDAV endpoints. However the pre-scan detected a 'base64-block' pattern (possible embedded asset or obfuscation) inside distributed files which could hide unexpected behavior — this is unusual and worth auditing.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md asks the user to run 'bun install' and use 'bunx' to execute the bundled CLI. A large bundled dist/cli.js is included, which means substantial code will be present on disk if installed. Dependencies are standard (tsdav, uuid). The lack of an explicit, reproducible install manifest in the registry plus a bundled executable suggests you should inspect the bundled code (dist/cli.js) before running; bundlers sometimes inline large base64 blobs (flagged by the scanner) so confirm those blobs are benign.
!
Credentials
The environment variables required by the SKILL.md and code (FASTMAIL_API_TOKEN for JMAP; FASTMAIL_USERNAME and FASTMAIL_PASSWORD for CalDAV) are appropriate and expected for this purpose. The README notes tokens have full account access, which is significant but expected for API tokens. The concern is that the registry metadata omitted these required credentials entirely — an inconsistency that could trick users into granting secrets without realizing what is needed. Also verify the skill truly only uses those credentials for hosted Fastmail endpoints.
Persistence & Privilege
The skill does not request 'always: true' and does not claim to modify other skills or system-wide settings. It appears to run on demand via CLI and uses environment variables; autonomy and persistence are normal/default and present no additional red flags by themselves.
Scan Findings in Context
[base64-block] unexpected: The scanner flagged a base64 block pattern in the bundled files. Embedding base64 blobs in a bundled CLI can be benign (assets, polyfills), but it can also be used to hide data or code. Since this project includes a large compiled 'dist/cli.js', inspect the blob(s) to confirm they are not obfuscated malware or hidden network endpoints.
What to consider before installing
Do not install or run this skill until you verify its origin and inspect the bundled code. Specific steps: - Verify source: this skill lists no homepage and source is unknown; prefer skills with a verifiable repository or maintainer. - Confirm required credentials: SKILL.md and code require FASTMAIL_API_TOKEN (JMAP) and FASTMAIL_USERNAME + FASTMAIL_PASSWORD (CalDAV). Only provide an app-specific token/password with minimal required scope; do not use your primary password. - Audit the bundle: review dist/cli.js and any embedded/base64 content for unexpected endpoints, encoded scripts, or obfuscated behavior before running 'bun install' or executing the CLI. - Run in a sandbox: if you must test, run it in an isolated environment or container, and monitor outbound network calls to ensure they only go to Fastmail endpoints (api.fastmail.com, caldav.fastmail.com). - Use least privilege and rotate: generate a dedicated Fastmail API token/app-password for this skill and revoke/rotate it after testing. - If metadata/registry claims differ from the package (e.g., 'instruction-only' vs present code), treat that as a warning signal and reach out to the publisher or avoid using the skill until provenance is clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk979g84g2s5xkrephdhv2k6x6580jwz6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments