Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Arcascience Email
v1.0.0Email assistant for Romain at ArcaScience to read, triage, and draft context-aware replies using pharma dossiers, adapting tone and language per sender profile.
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the behavior: reading inbox, triaging, drafting context-aware replies using ArcaScience dossiers. However, the SKILL.md expects local dossier directories (e.g., arcascience_dossiers/companies/, master_targeting_table.csv) that are not declared in the skill metadata (no required config paths or files listed). The skill also depends on a separate 'Gmail skill (Maton API)' to fetch mail; that external dependency and any credentials it requires are not described here.
Instruction Scope
Runtime instructions are explicit and largely within email-assistant scope (fetch full email content, triage, adapt language/tone, draft replies, and propose attachments). Two items to flag: (1) it instructs the agent to proactively suggest/attach internal sales/proposal documents (potentially sensitive) and (2) it tells the agent to 'search web if needed' to infer sender/company context — this can cause unbounded external queries. The SKILL.md does not request reading unrelated system files or environment vars, but it does reference dossier locations that are not declared.
Install Mechanism
Instruction-only skill with no install spec or code files to execute. This minimizes direct install risk (nothing is downloaded or written to disk by the skill itself).
Credentials
The skill declares no required environment variables or primary credentials, which is consistent with being instruction-only. However, it relies on the Gmail skill/API to access romain@arcascience.ai emails — that Gmail integration will require credentials or access tokens outside this package. Also, the SKILL.md expects access to internal dossier files; those paths are not declared in requires.config and should be verified. No unrelated secrets are requested by this skill bundle itself.
Persistence & Privilege
always is false and the skill is user-invocable; autonomous invocation is allowed (platform default) and the skill mentions a daily cron job trigger. There is no request to modify other skills or global agent settings. The cron trigger means it may run periodically if the platform scheduler is configured — confirm you want daily draft generation for this account.
What to consider before installing
This skill looks like a legitimate, instruction-only email assistant, but verify three things before installing: (1) Confirm how the Gmail integration (Maton API) is wired and which credentials/tokens are granted — giving any skill mailbox access is sensitive. (2) Check whether the referenced dossier directories (arcascience_dossiers/..., master_targeting_table.csv) exist and whether the skill will have access to confidential sales/proposal PDFs; the SKILL.md expects internal documents that were not declared in the metadata. Decide whether you want the skill to proactively suggest/attach internal files (it instructs to do so). (3) If you enable the daily cron, confirm the frequency and whether automatic draft generation is acceptable. If any of these are unclear, ask the skill author to declare required config paths and describe the Gmail integration and cron behavior before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk979vsxrd414rtbk7cwtsr7nen83ha8v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.