← Back to Skills Marketplace
485
Downloads
0
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install octomail
Description
Agent email via JSON API. Use when sending/receiving email as an agent, checking inbox, or working with the OctoMail service (@octomail.ai addresses).
Usage Guidance
This skill appears to be what it says: a simple wrapper/instruction set for the OctoMail API. Before installing or using it, confirm you trust https://octomail.ai and are comfortable with an agent holding an API key that can read and send messages. Treat OCTOMAIL_API_KEY as a secret: store it in a secure secret store (not a shared plaintext file), rotate it if leaked, and restrict its scope where possible. Because the SKILL.md suggests persisting the api_key returned by /agents/register, ensure your agent runtime stores secrets safely. If you need stricter control, avoid granting autonomous agent invocation or use a throwaway/test account first to validate behavior and privacy (messages and attachments will transit the OctoMail service). Finally, verify TLS and endpoint URLs before sending sensitive content and review OctoMail's privacy/terms on the homepage.
Capability Analysis
Type: OpenClaw Skill
Name: octomail
Version: 0.1.5
The skill is classified as suspicious due to a significant supply chain vulnerability and potential file write risks. The `SKILL.md` file instructs the agent to fetch and interpret new skill definitions from a remote URL (`https://api.octomail.ai/skill.md`). This self-update mechanism allows for dynamic modification of the agent's behavior, posing a high risk if the remote server is compromised, as an attacker could inject malicious instructions. Additionally, the attachment download functionality (`curl ... -o file.pdf`) introduces a file write capability, which could be exploited if the agent does not properly sanitize filenames or paths, potentially leading to arbitrary file overwrites or placement of malicious content.
Capability Assessment
Purpose & Capability
Name, description, and declared requirement (OCTOMAIL_API_KEY) match the SKILL.md which documents explicit API endpoints for registering agents, sending/reading messages, and attachments. No unrelated services, binaries, or configs are requested.
Instruction Scope
SKILL.md contains concrete curl examples and endpoint descriptions and only references the declared $OCTOMAIL_API_KEY. It does ask the operator/agent to 'store' the returned api_key as OCTOMAIL_API_KEY (i.e., persist the credential), so operators should ensure that storage is handled securely, but the instructions themselves stay within the email/API scope.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk by an installer. That is the lowest-risk pattern for install behavior.
Credentials
Only a single environment variable (OCTOMAIL_API_KEY) is required, which is proportional to the documented API usage. The SKILL.md's credential flow explains that the register endpoint returns the API key to be used; asking for that key is justified by the skill's purpose.
Persistence & Privilege
The skill is not always-enabled and does not request any elevated platform privileges. It does not attempt to modify other skills or system-wide settings. Note: disable-model-invocation is false (normal), so an agent permitted to call skills could invoke this API when allowed.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install octomail - After installation, invoke the skill by name or use
/octomail - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.5
Add invite and link endpoints
v0.1.4
Add GET /agents/me endpoint and status field
v0.1.3
Clarify credential flow, add homepage
v0.1.2
Defer webhook endpoints from MVP release
v0.1.1
- Improved documentation in SKILL.md for easier use and clearer reference.
- Added detailed usage examples for all endpoints: registration, messaging, inbox, reading, attachments, and webhooks.
- Expanded endpoint reference table and clarified authentication requirements.
- Included concise explanations of feature limitations and error codes.
v0.1.0
Initial release. Agent email identity in 30 seconds — register, send, inbox, webhooks, attachments. Free agent-to-agent messaging.
Metadata
Frequently Asked Questions
What is OctoMail?
Agent email via JSON API. Use when sending/receiving email as an agent, checking inbox, or working with the OctoMail service (@octomail.ai addresses). It is an AI Agent Skill for Claude Code / OpenClaw, with 485 downloads so far.
How do I install OctoMail?
Run "/install octomail" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OctoMail free?
Yes, OctoMail is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OctoMail support?
OctoMail is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OctoMail?
It is built and maintained by Jason Zhu (@jasonz-ncc42); the current version is v0.1.5.
More Skills