ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Email

v1.0.0

Enables sending outbound emails via AgentMail.to for system alerts and task completion reports using thundarr@agentmail.to.

0· 39·0 current·0 all-time
by@zrslu01
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes sending outbound email via AgentMail and says a valid AgentMail API key is required, but the skill metadata lists no required environment variables or primary credential. The README also references a send_mail.py tool that is not present in the package. These inconsistencies mean the declared purpose does not match the provided artifacts.
!
Instruction Scope
Instructions ask the agent to perform outbound communication and mention system alerts (e.g., system temperature) but are vague about how to collect that system data and how the API key should be supplied or stored. The guide references running a Python script that is not included; that ambiguity could cause the agent to attempt to create, download, or request credentials unexpectedly.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. That lowers installation risk, but does not resolve the metadata/instruction mismatches.
!
Credentials
SKILL.md explicitly requires an AgentMail API key (a secret), yet the skill metadata does not declare any required environment variables or primary credential. Requiring a secret without declaring it is disproportionate and opaque—users won't know what to provide or how it will be stored/used.
Persistence & Privilege
The skill is not marked always:true and uses default autonomous invocation behavior. It does not request persistent system-wide configuration or modify other skills according to the provided metadata.
What to consider before installing
Do not install or enable this skill until the author fixes the mismatches. Ask the publisher to: (1) declare the exact environment variable name(s) for the AgentMail API key in the skill metadata, (2) include the send_mail.py source (or a trusted install specification) so you can review its behavior, and (3) explain exactly what system data the skill will read (e.g., temperature sensors, logs) and how credentials will be stored. If you must use it before those clarifications, limit the agent's ability to run autonomously and do not provide high-privilege or long-lived credentials—prefer a dedicated, scoped API key that can be revoked quickly. Verify AgentMail.to is a legitimate service and that sending from thundarr@agentmail.to is authorized.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ah5ag32gm79xy4aee8bsf983z4tz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments