Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
InterClaw
v0.1.9Secure, sequenced, PGP-signed email mesh for agent-to-agent coordination via plain email
⭐ 2· 612·0 current·0 all-time
byZach Lagden@zachlagden
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (PGP-signed email mesh) match the declared requirements: gpg for PGP operations, himalaya (or equivalent) for IMAP/SMTP, and SMTP/IMAP credentials plus PGP key ID. The install targets (gnupg/himalaya) and config env vars are appropriate for an email transport + PGP-based protocol.
Instruction Scope
SKILL.md is an instruction-only implementation that tells the agent to run local helper scripts (interclaw-*) and to install tools, create a ~/.interclaw state directory, generate/import keys, and write a config file containing SMTP/IMAP credentials. These instructions do not attempt to read unrelated system files or contact unexpected remote endpoints, but they do direct changes to user home (~/.local/bin symlinks, ~/.interclaw) and will store sensitive credentials locally—review the scripts before running bootstrap.
Install Mechanism
Install steps use package managers (apt/brew) for gnupg and a GitHub release or brew for himalaya. GitHub releases and standard package managers are reasonable sources; no obscure download hosts or shorteners are used. The 'bootstrap' will symlink scripts into ~/.local/bin which is standard for user-local installs.
Credentials
The skill requires many sensitive environment values (SMTP/IMAP host, port, user, pass; PGP key id and optional passphrase). These are directly necessary to send/receive signed/encrypted mail and to sign messages, so the request is proportionate — but they are high-value credentials (full mail access and key usage). No unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It will install binaries (or depend on them) and symlink scripts into the user's PATH and create ~/.interclaw state/config — expected for a user-level agent. It does not request or modify other skills' configs.
Assessment
This skill appears internally coherent for an email+PGP agent mesh, but it will gain the ability to send and read mail using whatever SMTP/IMAP credentials you provide and to sign messages with your PGP key. Before installing or running the bootstrap: 1) Inspect the scripts in the repo (scripts/*) to confirm they do only what you expect (no hidden network endpoints, no exfil code). 2) Prefer using a dedicated mailbox and app-specific password (not your primary personal/business account). 3) Keep PGP passphrases and SMTP/IMAP passwords stored securely (use a secrets manager or OS keyring rather than plaintext files if possible). 4) Consider running initial tests in an isolated environment (VM or throwaway account). 5) Verify peer fingerprints out-of-band before trusting them. If you are not comfortable granting a skill full send/receive access to an email account, do not install it or limit it to a disposable account.Like a lobster shell, security has layers — review code before you run it.
communicationvk971hw8a9xawpd93y4s22a6a0s81cs4pemailvk971hw8a9xawpd93y4s22a6a0s81cs4phandshakevk971hw8a9xawpd93y4s22a6a0s81cs4platestvk97480fs0ydkp7z87bnmew4fth81fc7vmeshvk971hw8a9xawpd93y4s22a6a0s81cs4ppgpvk971hw8a9xawpd93y4s22a6a0s81cs4psecurevk971hw8a9xawpd93y4s22a6a0s81cs4p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦞🔒 Clawdis
Binsgpg
Any binhimalaya
EnvINTERCLAW_EMAIL, INTERCLAW_SMTP_HOST, INTERCLAW_SMTP_PORT, INTERCLAW_SMTP_USER, INTERCLAW_SMTP_PASS, INTERCLAW_IMAP_HOST, INTERCLAW_IMAP_PORT, INTERCLAW_IMAP_USER, INTERCLAW_IMAP_PASS, PGP_PRIVATE_KEY_ID
Install
Install GnuPG (brew)
Bins: gpg
brew install gnupgInstall Himalaya (brew)
Bins: himalaya
brew install himalaya