Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Send
v1.0.0The last step that matters most. A complete sending intelligence system for anyone who communicates at scale or with stakes: emails, messages, files, proposa...
⭐ 0· 258·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the SKILL.md both focus on reviewing, auditing, and automating communications; the checklists and protocols are coherent with that purpose. However, parts of the doc (pre-send audits, merge-field resolution, test sends, SPF/DKIM checks, and automation of sequences) imply access to message bodies, attachments, mailing lists, and mail-sending APIs. The skill declares no required environment variables, binaries, or config paths, which is under-specified relative to the automation capabilities described.
Instruction Scope
The instructions contain explicit checks and pseudocode that reference reading email objects, bodies, attachments, and performing checks like 'contains_pii_or_confidential' and 'verify_to_cc_bcc'. Those actions are directly related to the skill's stated function. The SKILL.md does not instruct the agent to exfiltrate data or call unexpected external endpoints, but it does assume access to potentially sensitive content (drafts, attachments, recipient lists) and to send/test messages.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes on-disk risk and is appropriate for a guidance/assistant skill.
Credentials
The skill will need access to message content, attachments, recipient lists, and possibly sending APIs or DNS for SPF/DKIM checks to fully implement its features. Yet it declares no required credentials or environment variables. This creates a transparency gap: either it relies on the agent's existing connectors (which should be explicitly documented) or it will request access at runtime. Users should be aware the skill will process sensitive content and that automation features could require granting mail-sending permissions or API keys.
Persistence & Privilege
always is false and there is no install script or config modification. The skill does not request elevated persistent privileges in the manifest.
What to consider before installing
This skill reads and reasons about messages and attachments to decide whether something is ready to send and can suggest or automate sending. Before installing or enabling it, consider: (1) how the agent will obtain access to your drafts, mailbox, or sending APIs — the skill does not list required credentials, so expect to grant connector permissions or tokens elsewhere; (2) only grant the minimum permissions needed for test sends or automation (prefer a scoped API key or one-time approval); (3) test the skill using non-sensitive/dummy messages and recipients first; (4) if you enable autonomous sending, require explicit confirmation before any message is actually sent; (5) if you need SPF/DKIM or merge-field checks, verify whether the agent will perform DNS queries or use your mail provider — be cautious about giving access to mailing lists or full recipient databases. If you want a safer install, ask the publisher to document precisely which permissions, connectors, or environment variables the skill expects and to add explicit prompts for user approval before any send action.Like a lobster shell, security has layers — review code before you run it.
automationvk97b8hvv2e2kxsvehkh4hy3tzx82ga59communicationvk97b8hvv2e2kxsvehkh4hy3tzx82ga59emailvk97b8hvv2e2kxsvehkh4hy3tzx82ga59latestvk97b8hvv2e2kxsvehkh4hy3tzx82ga59messagingvk97b8hvv2e2kxsvehkh4hy3tzx82ga59sendvk97b8hvv2e2kxsvehkh4hy3tzx82ga59
License
MIT-0
Free to use, modify, and redistribute. No attribution required.