Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pitch Follow-Up Tracker
v1.0.0Track outreach pitches and draft contextual follow-up emails. Monitors a pitch tracker (Google Sheet or local markdown), checks Gmail for replies, flags stal...
⭐ 0· 19·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's actions (checking Gmail, reading a Sheet or local markdown, drafting follow-ups) are coherent with its description. However, the registry metadata lists no required binaries or tools while the SKILL.md explicitly requires the 'gog' CLI for Gmail access and the README mentions a 'web_search' tool — those requirements are not declared in the registry, an inconsistency that should be clarified.
Instruction Scope
Runtime instructions tell the agent to run explicit gog gmail and gog sheets commands (expected) and to read local markdown trackers (expected). They also instruct the agent to check 'recent memory/context', 'daily memory files', or any tracker for context — vague directives that could cause the agent to read unspecified local files or personal memory stores. The SKILL.md also truncates the 'add value' flow (likely web lookups) but doesn't declare how those lookups are performed or what external tool is used.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. That reduces supply-chain risk. The real runtime risk comes from the external CLI/tooling it asks to use (gog, possibly a web_search tool).
Credentials
The registry declares no environment variables or credentials, yet the SKILL.md requires a configured Google account through the gog CLI (which implies local credentials/access to the user's Gmail). The README also references a web_search tool not declared in registry metadata. The skill's implicit need for Gmail access is proportionate to purpose, but the lack of explicit declaration and the instruction to consult unspecified 'memory' files raises concerns about overbroad local data access.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request persistent or elevated platform privileges. As an instruction-only skill it cannot modify other skills or system-wide settings on its own.
What to consider before installing
Things to check before installing/using this skill:
- Confirm the 'gog' CLI it references: where does it come from, is it reputable, and are you comfortable authenticating your Google account through it? Inspect the gog binary/source before installing.
- Ask the skill author to update registry metadata to declare required tools (gog, and any web_search tool) so you know exactly what will be invoked.
- The skill will run gmail search/get commands that read your inbox and drafts. If you don't want full mailbox access, use a secondary account or limit permissions for the gog credential.
- Clarify what 'recent memory/context' and 'daily memory files' refer to; require the skill to ask for explicit permission before reading any non-tracker local files or memory stores.
- If using a local markdown tracker, ensure the path is correct and that the file format is acceptable; the skill will parse and extract contact emails and pitch content.
- Prefer manual invocation (not autonomous) until you confirm behavior; review generated search queries and draft emails before sending.
- If unsure, request the author provide a minimal reproducible runbook or attestations (e.g., exact gog commands used, where web searches occur) or run the skill in an isolated environment/account first.Like a lobster shell, security has layers — review code before you run it.
latestvk97b7br9z2a7wk7ftm7zzp64nn848p40
License
MIT-0
Free to use, modify, and redistribute. No attribution required.