Contractor Marketing
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is marketing-focused, but it asks for recurring autonomous tasks and paid/public marketing actions without clear approval or disable controls.
Before installing, confirm that this skill will not publish posts, respond to reviews, send texts/emails, or change ad budgets unless you explicitly approve each action. Also review any cron/scheduler setup, decide what business details may be stored in memory, and treat the embedded Supabase key as a public read-only integration key.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could keep running marketing workflows on a schedule and potentially create or prepare public-facing content even after the immediate user request is over.
The skill directs creation of recurring background tasks for marketing activity, including Google Business Profile and social media work, without specifying opt-in, review, disable, or containment controls.
## Scheduled tasks (heartbeat/cron) Set up crons for recurring tasks: - Monday 7am: GBP post + review check - Sunday 6pm: social media batch
Require explicit opt-in for each schedule, show what will run and when, require approval before publishing, and provide a clear way to pause or remove all scheduled tasks.
If connected to ad or messaging tools, the agent could affect advertising spend, campaign performance, or customer communications without a final human check.
These are high-impact operational instructions for ad campaigns and lead communications, but the artifacts do not require user confirmation before pausing ads, increasing spend, or sending messages.
- Kill CTR below 1% (FB) or 3% (Google) after 1K impressions. Scale winners 20%. - Minute 0: auto-text + auto-email
Treat campaign changes and outbound messages as drafts/recommendations unless the user explicitly approves the exact action, recipient/channel, timing, and budget impact.
Business profile details may persist across sessions and be reused in future tasks.
The skill intentionally persists onboarding answers; the referenced questions include business contact details, address, employees, competitors, marketing budget, and payment-method information.
If no business profile exists in memory, run onboarding... Ask all 35 questions one at a time... Save answers to `MEMORY.md` or workspace memory
Ask before storing the profile, let the user review/edit/delete stored data, and avoid saving sensitive details that are not needed for ongoing marketing work.
The skill can contact an external database for strategy content; if the key or database permissions are too broad, the endpoint could be abused outside this skill.
The skill embeds a credential-like Supabase API key for strategy-library access. It appears to be an anon key used for the stated purpose, but it still grants access according to the database permissions behind it.
curl -s "https://dmlybcnpwtnaadmapdhl.supabase.co/rest/v1/strategies?...&apikey=eyJhbGciOi..."
Keep the key least-privileged and read-only, enforce Supabase row-level security, avoid embedding writable or sensitive keys, and disclose the external data source to users.