Back to skill
Skillv1.0.0
ClawScan security
email-template-builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:20 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only email template/code-generation guide whose requirements and instructions are consistent with its stated purpose and it does not request unusual privileges or credentials.
- Guidance
- This skill appears to be a templates-and-code generator only. Before using it: review any generated code for hardcoded URLs or tracking pixels, avoid pasting production API keys into example files, supply provider credentials (Resend/Postmark/SendGrid/AWS SES) via your own project environment variables or secret store, and verify unsubscribe/analytics handling meets your privacy and deliverability requirements. If the skill ever asks for your cloud or email provider credentials, or instructs the agent to read local files or upload data to an external server, stop and re-evaluate — that would be unexpected for a template generator.
Review Dimensions
- Purpose & Capability
- okThe name/description (email template builder) match the SKILL.md content: templates, layout, provider adapter examples, preview server, i18n, dark mode and tracking. Nothing in the metadata or SKILL.md asks for unrelated system access or credentials.
- Instruction Scope
- noteThe SKILL.md provides project scaffolding and code examples (React Email, MJML, preview server, provider adapter stubs). It references external assets (web font URL, logo URL) and placeholders like {{unsubscribe_url}} and describes adding open/click tracking and UTM parameters. The instructions do not tell the agent to read user files, environment variables, or transmit secrets, but generated code will need user-supplied provider credentials at deployment time — the document does not auto-provision those.
- Install Mechanism
- okNo install spec and no code files are included; this is instruction-only. Nothing is downloaded or executed by the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. That is proportionate for a code/template generator. (Note: real sending integrations will require provider API keys that the user must supply when they implement/deploy the generated code.)
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent or cross-skill configuration. It does not attempt to modify other skills or system settings.