← Back to Skills Marketplace
Xobni Email
by
ghoshsanjoy78
· GitHub ↗
· v1.0.1
997
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install xobni
Description
Email infrastructure for AI agents via Xobni.ai. Provides real email addresses (@xobni.ai) with REST API and MCP server access. Use when an AI agent needs to send/receive email, search inbox, manage attachments, or set up webhooks for email notifications.
Usage Guidance
This skill appears to implement an email API and is coherent with that purpose, but metadata failed to declare the primary API credential. Before installing: (1) verify the service domain (https://xobni.ai) and that you trust the operator, (2) expect to provide an agent-scoped API key (check that the registry entry is updated to declare something like XOBNI_KEY or a primaryEnv), (3) only give a scoped key limited to the specific agent and rotate/revoke keys when done, (4) if you configure webhooks, ensure your endpoint verifies X-Xobni-Signature HMAC and only accepts deliveries from trusted IPs, (5) confirm attachment size/limits and privacy implications of sending email content to a third-party service. The omission of declared credentials is likely an oversight but merits caution; require the publisher to correct metadata before trusting automated/long-running usage.
Capability Analysis
Type: OpenClaw Skill
Name: xobni
Version: 1.0.1
The skill bundle is classified as suspicious due to its inherent capabilities that, while legitimate for an email service, present significant risks if an AI agent using this skill is compromised via prompt injection. Specifically, the skill allows sending emails with base64-encoded attachments and creating webhooks to arbitrary URLs, as detailed in SKILL.md and references/api.md. These features could be abused by a malicious prompt to exfiltrate sensitive local files or email metadata to an attacker-controlled endpoint. There is no evidence of intentional malice within the skill's instructions or code, but the exposed capabilities are high-risk.
Capability Assessment
Purpose & Capability
The name, description, SKILL.md and references/api.md consistently describe an agent-scoped email service (send/receive/search/webhooks). That functionality justifies use of an API key and webhook configuration. However, the registry metadata declares no required environment variables or primary credential even though every example uses an API key (Authorization: Bearer). The omission of a declared primary credential is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to call REST endpoints and MCP server for email operations and shows webhook setup. It does not instruct reading unrelated local files, scanning system state, or exfiltrating arbitrary data. Examples reference an environment variable ($XOBNI_KEY) and suggest creating a scoped API key — again, this is expected for the service but should be declared in metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — low install risk. Nothing is downloaded or written to disk by the skill package itself.
Credentials
The service legitimately requires an agent-scoped API key; that is proportionate. The concern is metadata claims 'no required env vars' and 'primary credential: none' while examples use $XOBNI_KEY/Authorization headers. This mismatch could be simple metadata omission, but it means the skill packaging does not clearly declare the secret it needs — a transparency and governance issue. Also note webhooks will deliver snippets and webhook secrets are returned once; users must protect webhook endpoints.
Persistence & Privilege
The skill is not always-enabled and does not request system config paths or modify other skills. It appears not to require elevated persistence or cross-skill privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install xobni - After installation, invoke the skill by name or use
/xobni - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Updated MCP authentication instructions: the Bearer token no longer requires the "xobni_" prefix.
- Clarified the `mark_email` tool can now set emails as "unstarred".
- Webhook section simplified for easier setup and mentions direct integration with any HTTP endpoint.
- Removed detailed OpenClaw integration; now highlights standard webhook event setup and response payloads.
- Webhook event payload documentation notes inclusion of metadata and a 200-character snippet.
v1.0.0
Initial release of the Xobni.ai email infrastructure skill for AI agents.
- Provides real @xobni.ai email addresses for agents, with REST API and MCP server access.
- Supports reading, sending, searching emails, managing attachments, and setting up webhooks for notifications.
- API keys are scoped per agent for granular security—no cross-agent data access.
- Includes example cURL commands and MCP server config for quick integration.
- Offers semantic inbox search and 14 MCP tools for advanced email workflows.
- Guides on integrating webhook notifications with OpenClaw and other automation platforms.
Metadata
Frequently Asked Questions
What is Xobni Email?
Email infrastructure for AI agents via Xobni.ai. Provides real email addresses (@xobni.ai) with REST API and MCP server access. Use when an AI agent needs to send/receive email, search inbox, manage attachments, or set up webhooks for email notifications. It is an AI Agent Skill for Claude Code / OpenClaw, with 997 downloads so far.
How do I install Xobni Email?
Run "/install xobni" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Xobni Email free?
Yes, Xobni Email is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Xobni Email support?
Xobni Email is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Xobni Email?
It is built and maintained by ghoshsanjoy78 (@ghoshsanjoy78); the current version is v1.0.1.
More Skills