Scan Report
5 /100
inkbox
Send and receive emails and phone calls via Inkbox agent identities with encrypted vault support
Legitimate communication SDK skill for email, phone, and vault operations via the Inkbox API with no malicious behavior detected.
Safe to install
Approve for use. The skill is a standard API client library with clear documentation and no hidden functionality.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ | ✓ Aligned | SKILL.md:61-66 - reads config files for env vars |
| Network | NONE | WRITE | ✓ Aligned | SKILL.md:62 - SDK makes API calls to inkbox.ai |
| Shell | NONE | NONE | — | No shell scripts in skill; npm install documented but not auto-executed |
6 findings
Medium External URL 外部 URL
https://openclaw.ai README.md:3 Medium External URL 外部 URL
https://inkbox.ai README.md:3 Medium External URL 外部 URL
https://console.inkbox.ai README.md:29 Medium External URL 外部 URL
https://aws.amazon.com SKILL.md:244 Info Email 邮箱地址
[email protected] SKILL.md:107 Info Email 邮箱地址
[email protected] SKILL.md:389 File Tree
3 files · 20.0 KB · 592 lines Markdown 2f · 581L
JSON 1f · 11L
├─
package.json
JSON
├─
README.md
Markdown
└─
SKILL.md
Markdown
Dependencies 1 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@inkbox/sdk | ^0.1.1 | npm | No | SDK is the implementation; version range is reasonable |
Security Positives
✓ SDK package @inkbox/sdk ^0.1.1 is pinned to a specific version range
✓ No scripts directory or executable code present - purely documentation
✓ No sensitive file access detected (no ~/.ssh, ~/.aws, or .env access)
✓ No obfuscation, base64-encoded payloads, or anti-analysis techniques
✓ No credential harvesting beyond the declared INKBOX_API_KEY requirement
✓ No data exfiltration or C2 communication patterns
✓ No supply chain risks - standard npm package with stable versioning
✓ Clear, comprehensive documentation matching the skill's stated purpose