Skillv2.0.2

ClawScan security

Agnic Agent Email · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 23, 2026, 2:33 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match an email CLI (npx agnic) and appear coherent for sending/receiving mail, but it omits declaring the sensitive AGNIC_TOKEN env var and relies on running npx @latest (which fetches and executes remote code), so there are proportionality and installation risks you should review before installing.
Guidance: This skill appears to be a thin wrapper around the agnic CLI. Before installing: 1) Confirm you trust the 'agnic' npm package and consider pinning a specific version rather than using @latest; npx will download and run remote code. 2) Expect to provide a sensitive AGNIC_TOKEN for headless use—verify where that token is sent, what scopes it has, and whether you can rotate/revoke it. 3) Note emails are retained 30 days—ensure this retention and privacy model fit your needs. 4) If you need stronger assurances, ask the skill author to declare AGNIC_TOKEN in requires.env, document the npm package provenance, and prefer a fixed release (not @latest).

Review Dimensions

Purpose & Capability: noteName/description align with the runtime instructions: all commands use the agnic CLI (npx agnic@latest email ...). The requested capabilities (check inbox, send/reply, set alias) are consistent with calling that CLI.
Instruction Scope: noteSKILL.md restricts actions to calling the agnic CLI and includes reasonable input validation guidance. It does not instruct reading unrelated files or system state. However, it explicitly references an authentication token (AGNIC_TOKEN) and interactive login flows that are not declared in the skill's required env list, an inconsistency worth flagging.
Install Mechanism: concernThe skill is instruction-only but relies on 'npx agnic@latest' at runtime. npx/@latest will fetch and execute code from the npm registry on-demand; that behavior can change over time and execute arbitrary remote code. For lower risk, commands should prefer pinned versions or document the package source and trust model.
Credentials: concernThe SKILL.md documents use of a sensitive environment variable (AGNIC_TOKEN) for headless auth, but the skill metadata lists no required env vars or primary credential. This mismatch hides that a secret token may be needed and transmitted to the agnic service; the token scope and storage/rotation expectations are not declared.
Persistence & Privilege: okThe skill does not request always:true, has no install spec that writes files, and does not request system-level config paths. It does not ask to persist or modify other skills or global agent settings.