Near Email Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or application mishandles this key, it could spend prepaid balance or access the email service as the user.
The HTTPS integration requires a payment key credential to authorize calls to the NEAR Email service.
'X-Payment-Key': PAYMENT_KEY
Store payment keys securely, avoid hardcoding real secrets in source code, and restrict use to the intended NEAR Email account/workflow.
A mistaken or over-eager agent could delete the wrong email if it acts without clear user confirmation.
The API reference includes an email deletion action, which is expected for an email integration but mutates user communications.
### delete_email ... "action": "delete_email", "email_id": "uuid-of-email"
Require explicit user approval before deleting emails or sending messages with important content.
Private or sensitive email content sent with plaintext mode could become publicly visible and difficult or impossible to remove.
The plaintext send mode intentionally publishes email content to a public blockchain, creating persistent exposure if used with private data.
Email content (to, subject, body) is stored PUBLICLY on the NEAR blockchain. Do NOT use for private messages.
Use encrypted email actions for private messages and reserve plaintext mode only for non-sensitive automated notifications.
Email metadata/content and payment authorization data are shared with the NEAR Email/OutLayer service during normal operation.
The skill sends email requests and credentials to an external provider endpoint, which is disclosed and aligned with the service purpose.
POST https://api.outlayer.fastnear.com/call/{contract}/{project}Only send data you are comfortable sharing with that provider, and verify the endpoint and project identity before use.
Users have less provenance information to verify the package or repository before installing or trusting it with payment/account credentials.
The documentation includes a user-directed global install command, while the registry metadata lists the source as unknown and no homepage is provided.
npx openskills install zavodil/near-email-skill -g
Verify the repository, maintainer, and NEAR contract/project details before installation or credential use.