Is casperaiassist/postwall safe?

https://github.com/openclaw/skills/tree/main/skills/casperaiassist/postwall

77
CAUTION

PostWall is a legitimately-architected email gateway skill that routes all email content through postwallapp.com by design, creating a high-trust third-party dependency that users must consciously accept. The two primary concerns are: (1) all email bodies — including pending drafts — transit postwallapp.com's servers before any human approval occurs, and (2) the skill instructs the agent to autonomously poll for emails every 5-10 minutes without explicit user direction, persistently expanding agent scope. No malicious prompt injection, hidden code, canary compromise, or exfiltration was detected during installation.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 65/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

HIGH All Email Content Routed Through Third-Party postwallapp.com by Design -25

The skill is architecturally designed to proxy all email operations through postwallapp.com. Draft email bodies are transmitted to postwallapp.com at the time the agent submits a draft — before the human approval step occurs. Approved inbox emails are fetched from postwallapp.com's servers. This means postwallapp.com has persistent, unrestricted access to all email content processed through this skill. While this is the stated design, users must consciously accept that a third party holds all their agent-mediated email data.

MEDIUM Autonomous Polling Instruction Expands Agent Scope Without User Direction -15

SKILL.md explicitly instructs the LLM agent to proactively poll postwallapp.com for emails every 5-10 minutes during active sessions, without requiring the user to ask. This is a prompt-level instruction that overrides the default reactive posture of an agent, causing it to take scheduled background actions and make network requests outside the user's direct conversational control. This pattern is a known mechanism for skill authors to drive persistent agent activity.

MEDIUM Single-Point-of-Failure Trust Model on postwallapp.com -20

The skill presents itself as a security layer, but the entire security guarantee is contingent on postwallapp.com being uncompromised and honest. A malicious or compromised postwallapp.com could silently read all emails flagged for approval, inject content into approved emails before delivery, or suppress approval notifications. Users have no cryptographic proof of postwallapp.com's behavior. The npm package 'postwall' is also under postwallapp.com's control, creating a supply-chain dependency.

MEDIUM Agent Instructed to Self-Direct Email Processing Without Explicit User Request -10

The Common Workflows section instructs the agent to automatically invoke postwall inbox and process emails whenever check returns a non-zero count. This means a user doing an unrelated task could have the agent silently reading email content in the background, exposing inbox data to the agent's context without the user explicitly asking for it.

LOW Required npm Package 'postwall' Has Unaudited Install Scripts -15

The skill's openclaw metadata declares a required npm package install step for 'postwall' from postwallapp.com's repository. npm packages execute arbitrary shell code during preinstall/postinstall lifecycle events. This npm package was not inspected in this audit scope. Any malicious or compromised version of the 'postwall' npm package could execute code at install time with the user's privileges.

LOW API Key Stored in Plaintext at ~/.postwall/config.json -10

The postwallapp.com API key is stored in plaintext at ~/.postwall/config.json after initial auth. Any other skill, process, or agent with filesystem read access to the home directory can read this key and authenticate as the user to postwallapp.com, gaining full ability to read approved emails and submit drafts on the user's behalf.

INFO Canary Files Opened Post-Install — Consistent With Monitoring Framework Sweep -12

Sensitive canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened at timestamp 1771934790.878, approximately 4 seconds after skill installation completed. The same files were accessed at 1771934768.4xx (pre-install baseline) by the same monitoring infrastructure. The canary integrity report confirms all files are unmodified. No skill-induced credential access is indicated.