Skillv1.0.0

ClawScan security

Ironclaw Outreach Sequencer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 17, 2026, 2:54 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions describe browser automation, Gmail CLI usage, and reading/writing a DuckDB of leads, but it does not declare or request the credentials, config paths, or tooling required to do those things — that mismatch is concerning and should be clarified before use.
Guidance: Before installing or running this skill: (1) Require the author to declare exactly what credentials and config paths are needed (Gmail OAuth tokens, LinkedIn auth/cookies, DuckDB file path) and how those secrets will be provided and stored; do not proceed if credentials are not explicit. (2) Verify the 'gog' CLI and any browser-automation tooling the skill expects are trusted and installed deliberately — the skill has no install step. (3) Remove or replace any hardcoded account identifiers in the skill and confirm who 'patrick@candlefish.ai' refers to. (4) Test in an isolated account/environment first (use a sandbox Gmail and a test LinkedIn account) to confirm behavior and rate limits. (5) Ensure opt-out, CAN-SPAM, and LinkedIn ToS handling are enforced and log all sends. (6) If you want to proceed, request the author to add explicit requires.env entries (e.g., GMAIL_OAUTH_TOKEN, LINKEDIN_SESSION, DUCKDB_PATH) and document where data is stored and how long it is retained. If the author cannot justify these omissions, treat the skill as unsafe to enable with live accounts.

Review Dimensions

Purpose & Capability: concernThe skill claims to run multi-step outreach across LinkedIn and Gmail and to read/write lead profiles in DuckDB, but the registry metadata declares no credentials, no config paths, and no required binaries. The SKILL.md references a 'gog gmail' CLI and browser automation for LinkedIn and even shows a specific account email (patrick@candlefish.ai). Those capabilities normally require OAuth/API credentials, a browser automation capability, and a DuckDB file path; none are declared — this is a mismatch between claimed purpose and declared requirements.
Instruction Scope: concernRuntime instructions direct the agent to: open LinkedIn in a browser, search for recipients, type and send messages; run 'gog gmail send' and 'gog gmail reply' with a named account; read and update lead profiles in DuckDB; optionally perform web searches for company news. These steps involve interacting with a user mailbox, message threads, and a local database. The SKILL.md does not specify where the DuckDB lives, how Gmail/LinkedIn auth is obtained, or what browser automation stack is expected — giving the agent broad, underspecified discretion to access accounts and local data.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces installer risk. However, the instructions assume the presence of external tooling ('gog' CLI, DuckDB, and a browser automation environment). Because those dependencies are not installed or declared, the skill will either fail at runtime or silently depend on preinstalled tools, which is an operational/availability risk.
Credentials: concernThe skill requests no environment variables or credentials in metadata but clearly requires mailbox access (Gmail), LinkedIn session/authentication, and read/write access to a DuckDB file. The presence of a hardcoded email address in examples increases risk/ambiguity. Required secrets (Gmail OAuth tokens, LinkedIn cookies/session, DB path) are not declared — this is disproportionate and under-specified.
Persistence & Privilege: noteThe skill is not marked always:true and is user-invocable (normal). The SKILL.md includes a cron integration example for scheduled runs; that implies potential autonomous, periodic sending of messages if the user wires up scheduling. Autonomous invocation is platform-normal, but combined with the other concerns (undeclared credentials, account access) it increases the blast radius if configured without careful access controls.