☤CaduceusMail 3.6.7
Inbox-reliability optimization engine: automates sender trust hardening, identity rotation, and scale-ready outreach/support flows designed to keep your mail out of junk.
☤CaduceusMail is a shippable skill for enterprise-grade alias/domain control on top of a single Microsoft 365 mailbox and Cloudflare DNS zone.
OpenClaw skill adapter for an audited caduceusmail release artifact vendored inside this skill. It manages M365 + Cloudflare mail/DNS without a runtime npm fetch.
What this does
This skill is a thin adapter around the standalone caduceusmail package. On first use the wrapper:
- Verifies the vendored tarball against a pinned SHA-512 integrity value in
vendor/caduceusmail-release.json - Extracts the audited release into a skill-owned cache under
~/.local/share/caduceusmail-skill/toolchains - Runs the CLI with a reduced environment and owner-only permissions on runtime state directories
It does not fetch code from npm at runtime, install a global package, or execute npm lifecycle scripts.
First move
Run the doctor through the secure wrapper before you do anything theatrical.
bash {baseDir}/scripts/run.sh doctor --json
Quick start
bash {baseDir}/scripts/run.sh bootstrap \
--organization-domain "example.com" \
--mailbox "ops@example.com" \
--bootstrap-auth-mode device
Daily headless run after bootstrap
bash {baseDir}/scripts/run.sh bootstrap \
--organization-domain "example.com" \
--mailbox "ops@example.com" \
--skip-m365-bootstrap
Lane operations
bash {baseDir}/scripts/run.sh provision-lane \
--mailbox "ops@example.com" \
--local "support" \
--domain "support-reply.example.com"
bash {baseDir}/scripts/run.sh verify-lane \
--mailbox "ops@example.com" \
--alias-email "support@support-reply.example.com" \
--domain "support-reply.example.com"
bash {baseDir}/scripts/run.sh retire-lane \
--mailbox "ops@example.com" \
--alias-email "support@support-reply.example.com"
Hard Rules
- never send group emails from one operation
- never send one message to multiple recipients at once
- treat no-reply lanes as intentional non-receiving identities (no MX + SPF
-allprofile) - delete defaults are reply-safe: aliases are retired with fallback continuity unless explicitly hard-removed
What this skill can do
- bootstrap Graph and Exchange auth posture
- hand off Microsoft device-login flows for VPS/SSH setups through OpenClaw gateway/browser hooks
- audit credential and DNS posture
- optimize root mail records
- provision reply and no reply lanes under subdomains
- verify lane readiness
- retire lanes with reply continuity
- generate awareness snapshots and machine readable state artifacts
OpenClaw runtime pattern
Prefer secret injection through skills.entries.caduceusmail.env over editing files. See examples/openclaw.config.json5.
The wrapper forwards only the CaduceusMail/OpenClaw/M365/Cloudflare variables it needs plus terminal/headless hints, so unrelated host secrets are not passed through by default.
External script resolution stays disabled unless CADUCEUSMAIL_ALLOW_EXTERNAL_SCRIPT_RESOLUTION=1 is set explicitly.
Security and Privilege Disclosure
This skill performs high-privilege operations by design:
- Microsoft Graph app role grants
- Exchange service principal and RBAC role assignments
- Exchange accepted-domain tuning (optional flags)
- Cloudflare DNS mutations for lane records
Runtime state artifacts are written under ~/.caduceusmail/intel with owner-only permissions. Env/secret persistence remains opt-in in the underlying tool, and any persisted env file is expected to stay owner-readable only.
Use least-privilege credentials: a dedicated Entra service principal scoped to the required Graph/Exchange roles and a Cloudflare token limited to the target zone's DNS permissions.