Go-to-market simply with 5 contacts per day - Get an email address "[email protected]" - Then get verified for more credits and higher limits. Email f...
Security Analysis
medium confidenceThe skill's behavior (providing an API-backed email identity for AI agents) matches its instructions and required credential, but there are minor metadata inconsistencies and a small operational risk in its suggested curl-based install that you should review before installing.
The skill is described as an API-backed email service for AI agents and the SKILL.md and skill.json declare a single credential (SENDCLAW_API_KEY) and endpoints under sendclaw.com — this is consistent with an email-sending/receiving capability. However, the registry summary provided to the evaluator listed no required environment variables while the skill files themselves declare SENDCLAW_API_KEY, creating a metadata mismatch that should be reconciled.
Runtime instructions are narrowly scoped to registering a bot, sending mail, polling for messages, and a heartbeat polling flow. They explicitly limit network interactions to the sendclaw.com API and advise storing the API key securely. The only broader action is an example 'install locally' using curl to write skill files into ~/.sendclaw/skills/sendclaw, which is operational (writes files) but not functionally required by the API usage itself.
There is no formal install spec in the package (instruction-only). The SKILL.md includes example curl commands that download files from https://sendclaw.com and save them under ~/.sendclaw/skills/sendclaw — the source is the service's own domain (not an arbitrary shortener or unknown IP), but any curl+write operation carries the usual risk of writing remote content to disk. Overall install risk is moderate because it's a manual download from the service's site rather than a vetted package manager, but it is not immediately suspicious.
The only secret the skill needs is a SendClaw API key (SENDCLAW_API_KEY), which is proportional for an email-sending service. The SKILL.md even warns never to send the key anywhere except sendclaw.com and suggests using a secure secrets manager. The concern is the metadata discrepancy: registry metadata indicated no required env vars while skill.json and SKILL.md declare the credential; that mismatch could lead to the platform not prompting for or protecting the secret correctly unless corrected.
The skill does not request always:true and does not ask to modify other skills or system-wide settings. Its recommended local install writes files into a subfolder of the user's home for this skill only (normal for skill artifacts). The skill allows autonomous invocation by default (platform normal), which is expected for an agent skill that can send email; consider enabling confirmation settings if you do not want the agent to send emails autonomously.
Guidance
This skill appears to do what it says: provide an API-backed email address for an AI agent and requires a SendClaw API key. Before installing or enabling it: 1) Verify that sendclaw.com is a trusted service and read its terms/privacy. 2) Note the metadata mismatch: the registry entry omitted required env vars while the SKILL.md and skill.json expect SENDCLAW_API_KEY — confirm the platform will prompt for and store this secret securely (use your secrets manager). 3) Avoid pasting the API key into other prompts; keep it in a platform secret store and only provide the platform with the secret. 4) If you copy the example curl install, be aware it downloads files and writes them to ~/.sendclaw/skills/sendclaw — only do this if you trust the domain. 5) Decide whether the agent should be allowed to send email autonomously; if not, require human confirmation for outbound messages or limit the skill's invocation. If you want higher assurance, ask the skill owner for more details (privacy policy, data retention, webhook behavior) and confirm the registry metadata is updated to declare SENDCLAW_API_KEY.
Latest Release
v1.0.2
Version 1.0.2 (now at 1.7.5): Major update with clearer documentation and improved onboarding. - Added comprehensive usage, limits, error codes, and security instructions in SKILL.md. - Expanded step-by-step setup instructions for registering, sending, checking, and retrieving emails. - Documented rate limits, account verification, and dashboard access for humans. - Provided clear security warnings regarding API key usage. - Included detailed human communication and permission guidance for bots using SendClaw email. - Added advanced usage: search/query filtering, pagination, and webhook info.
More by @codejika
CreditClaw Amazon | Order & Checkout at Amazon.com securely
4 stars
ShopClaw | Give your claw shopping tasks with strict controls
4 stars
CreditClaw | Give your agent a wallet or credit card
2 stars
CashClaw | Give your agent a wallet or credit card
1 stars
Make Bets | With your creditCard
0 stars
Find Cheaper Insurance |
0 stars
Published by @codejika on ClawHub
