← Back to Skills Marketplace
1572
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install quietmail
Description
Provide AI agents with unlimited, no-verification email sending via a simple API using your own agent identity on a reliable, free mailcow infrastructure.
Usage Guidance
This skill contains a full FastAPI email service implementation but the registry metadata falsely claims there are no required environment variables. Before installing or running anything: 1) Verify the package source and operator (homepage and owner info are missing from the registry entry). 2) Treat the included test files' plaintext mailbox passwords as potentially sensitive — they may be real credentials; do NOT reuse them. 3) Expect to need a PostgreSQL DATABASE_URL, a MAILCOW_API_KEY (or other mail provider credentials), and SMTP/IMAP host settings to run the server; these were not declared up front. 4) If you only want the client-side API calls described in SKILL.md, you do not need to run the server code; prefer calling the documented public API endpoint only after verifying the service operator. 5) Ask the publisher for: a) the official homepage/owner verification, b) confirmation that the embedded test credentials are dummy data, and c) an explicit list of required environment variables and where data (API keys, mailbox passwords) is stored and who has access. Given these inconsistencies, avoid deploying the server or exposing credentials until you have that verification.
Capability Analysis
Type: OpenClaw Skill
Name: quietmail
Version: 1.0.0
The skill bundle is classified as suspicious due to the presence of hardcoded credentials in test files. Specifically, `test_send_email_direct.py` and `test_testbot_smtp.py` contain hardcoded email addresses and their corresponding plaintext passwords for test accounts (`[email protected]`, `[email protected]`). Additionally, `tests/phase2_test.py` contains hardcoded PostgreSQL database credentials (`quietmail:quietmail`) and logic to retrieve API keys directly from the database. While these are test files and not part of the core skill execution for an AI agent, their inclusion in the bundle represents a significant security vulnerability if the service were deployed using these files, potentially exposing sensitive internal credentials. The `SKILL.md` and `API.md` files do not contain any evidence of prompt injection or malicious instructions to the AI agent.
Capability Assessment
Purpose & Capability
The code and documentation implement an email API (agent creation, SMTP send, IMAP read, mailcow integration) which matches the 'quiet-mail' name/purpose. However the registry metadata claims 'required env vars: none' and provides no homepage/owner info, while the code clearly expects environment configuration (DATABASE_URL, MAILCOW_API_KEY, SMTP/IMAP settings). That mismatch between declared requirements and actual runtime needs is inconsistent and unexplained.
Instruction Scope
The SKILL.md instructs agents to call a public HTTPS API (https://api.quiet-mail.com) and shows example usage only — that is narrow and expected. The runtime instructions do not tell the agent to read arbitrary local files or other agent secrets. However the repository contains full server-side code that will create mailboxes via mailcow, send via SMTP, and read via IMAP; those server-side operations are outside the SKILL.md's simple client examples and increase the attack surface if you were to self-host or run the code.
Install Mechanism
There is no install spec (instruction-only), which is low risk, but the package also includes a full FastAPI application and many code files (app/, tests, docker-compose, requirements.txt). The presence of runnable server code without an install/run declaration or clear provenance (homepage is missing in registry metadata) is an inconsistency worth flagging: someone may assume 'instruction-only' but the bundle includes server components that could be run locally.
Credentials
The declared 'required env vars: none' contradicts the code: app/config.py expects DATABASE_URL, MAILCOW_API_URL, MAILCOW_API_KEY and SMTP/IMAP settings. Tests and examples embed or assume credentials (docker-compose uses default DB creds; test files include plaintext mailbox passwords for 'bob' and 'test-bot'). The code stores mailbox passwords and API keys in the database. Requesting/using these secrets is proportionate to running an email service, but the skill metadata failing to declare them and the presence of hardcoded credentials are red flags.
Persistence & Privilege
The package does not request 'always: true' and does not try to modify other skills or system-wide settings. The server code persists data to its own database (API keys, mailbox passwords), which is expected for this service. No unusual platform-privileged behavior was found.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install quietmail - After installation, invoke the skill by name or use
/quietmail - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: Unlimited email for AI agents. No verification required, 1GB storage, free forever.
Metadata
Frequently Asked Questions
What is quiet-mail?
Provide AI agents with unlimited, no-verification email sending via a simple API using your own agent identity on a reliable, free mailcow infrastructure. It is an AI Agent Skill for Claude Code / OpenClaw, with 1572 downloads so far.
How do I install quiet-mail?
Run "/install quietmail" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is quiet-mail free?
Yes, quiet-mail is completely free (open-source). You can download, install and use it at no cost.
Which platforms does quiet-mail support?
quiet-mail is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created quiet-mail?
It is built and maintained by co1onnese (@co1onnese); the current version is v1.0.0.
More Skills