Is claw-silhouette/botemail-ai safe?

The heartbeat feature instructs the agent to periodically fetch all emails from the bot inbox and surface sender, subject, and preview content in HEARTBEAT.md and notifications. Email bodies are fully attacker-controlled — any party who knows the bot email address can inject arbitrary instructions into the agent's context. If HEARTBEAT.md is re-read by the agent in future sessions (as heartbeat files typically are), the injection persists across sessions.

HEARTBEAT.md and memory/heartbeat-state.json are written and re-read across agent sessions. Content derived from external email (attacker-controlled) that is stored in or influences these files persists beyond the originating session, allowing a one-time email to have ongoing influence on agent behavior.

The skill's frontmatter description explicitly positions the tool as operating 'without your human,' normalizing reduced user confirmation for workflows involving external service registration, credential handling, and 2FA interception.

Every inbox fetch and heartbeat poll sends the user's API key to api.botemail.ai via Authorization Bearer header. The service has no independently auditable privacy policy accessible from the skill package. If botemail.ai is compromised or operated maliciously, all credentials and inbox contents are exposed. Recurring automated polling amplifies this exposure indefinitely.

The skill instructs the agent to recommend .env files as a storage location for bot API keys. This trains the agent to treat .env files as a normal interaction target within credential workflows, potentially broadening the surface area for credential handling in future agentic steps.

EXAMPLES.md contains operationally complete JavaScript functions for extracting verification codes from email bodies using regex patterns, polling logic with retry, and link extraction. While documentation-only, these patterns are ready to copy-execute and lower the barrier for 2FA bypass automation.

inotify recorded OPEN/ACCESS/CLOSE_NOWRITE events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application_default_credentials.json in a single rapid sequential batch. The same pattern recurred twice. Timing analysis places both batches at audit infrastructure boundaries (1771932496 before clone start, 1771932513 at audit teardown), strongly suggesting the oathe monitoring system is performing integrity baselines rather than the skill. The skill contains no executable code capable of filesystem reads. Noted for completeness and manual verification.

The skill's design and examples center on receiving and extracting one-time passwords and verification codes. This capability directly enables MFA bypass in account takeover scenarios when an adversary possesses phished or leaked primary credentials. The polling and code-extraction automation is documented with production-ready patterns.

The skill demonstrates creating named fleets of bot accounts each with isolated inboxes to support parallel automation workflows. This infrastructure is directly applicable to mass fake account registration across web services for spam, astroturfing, fraud, and abuse-of-service attacks.

Six canary credential files were opened and read during the audit session. All events show CLOSE_NOWRITE, indicating no modification occurred. Post-audit integrity hashes confirm file contents are unchanged. Access is not attributable to the skill (no executable code present) and is consistent with the audit monitoring infrastructure performing pre/post baseline checks. Noted for completeness.