☤CaduceusMail 3.6.7

Inbox-reliability optimization engine: automates sender trust hardening, identity rotation, and scale-ready outreach/support flows designed to keep your mail out of junk.

☤CaduceusMail is a shippable skill for enterprise-grade alias/domain control on top of a single Microsoft 365 mailbox and Cloudflare DNS zone.

OpenClaw skill adapter for an audited caduceusmail release artifact vendored inside this skill. It manages M365 + Cloudflare mail/DNS without a runtime npm fetch.

What this does

This skill is a thin adapter around the standalone caduceusmail package. On first use the wrapper:

1. 1. Verifies the vendored tarball against a pinned SHA-512 integrity value in INLINECODE2
2. Extracts the audited release into a skill-owned cache under INLINECODE3
3. Runs the CLI with a reduced environment and owner-only permissions on runtime state directories

It does not fetch code from npm at runtime, install a global package, or execute npm lifecycle scripts.

First move

Run the doctor through the secure wrapper before you do anything theatrical.

CODEBLOCK0

Quick start

CODEBLOCK1

Daily headless run after bootstrap

CODEBLOCK2

Lane operations

CODEBLOCK3

Hard Rules

• * never send group emails from one operation
• never send one message to multiple recipients at once
• treat no-reply lanes as intentional non-receiving identities (no MX + SPF -all profile)
• delete defaults are reply-safe: aliases are retired with fallback continuity unless explicitly hard-removed

What this skill can do

• * bootstrap Graph and Exchange auth posture
• hand off Microsoft device-login flows for VPS/SSH setups through OpenClaw gateway/browser hooks
• audit credential and DNS posture
• optimize root mail records
• provision reply and no reply lanes under subdomains
• verify lane readiness
• retire lanes with reply continuity
• generate awareness snapshots and machine readable state artifacts

OpenClaw runtime pattern

Prefer secret injection through skills.entries.caduceusmail.env over editing files. See examples/openclaw.config.json5.
The wrapper forwards only the CaduceusMail/OpenClaw/M365/Cloudflare variables it needs plus terminal/headless hints, so unrelated host secrets are not passed through by default.
External script resolution stays disabled unless CADUCEUSMAIL_ALLOW_EXTERNAL_SCRIPT_RESOLUTION=1 is set explicitly.

Security and Privilege Disclosure

This skill performs high-privilege operations by design:

• * Microsoft Graph app role grants
• Exchange service principal and RBAC role assignments
• Exchange accepted-domain tuning (optional flags)
• Cloudflare DNS mutations for lane records

Runtime state artifacts are written under ~/.caduceusmail/intel with owner-only permissions. Env/secret persistence remains opt-in in the underlying tool, and any persisted env file is expected to stay owner-readable only.
Use least-privilege credentials: a dedicated Entra service principal scoped to the required Graph/Exchange roles and a Cloudflare token limited to the target zone's DNS permissions.