Back to skill
Skillv2.0.0
ClawScan security
Email Template · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:50 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it claims (generate email templates); it includes an additional prompt-engineering helper that writes modest logs to a data directory, but there are no network calls or unexpected credentials requested.
- Guidance
- This skill appears to be what it says: an email-template generator with helpful static templates. Before installing or running, note that the package includes a secondary helper script (scripts/script.sh) that provides prompt-engineering commands and writes logs to a data directory (default ~/.local/share/email-template). There are no network calls or credential requests in the code. If you are uncomfortable with local persistence, inspect or delete scripts/script.sh, or set EMAIL_TEMPLATE_DIR to a path you control / run in a sandbox. Otherwise it is reasonable to use the skill.
Review Dimensions
- Purpose & Capability
- noteThe package's primary functionality (email template generation) matches the name/description and the main script (scripts/emailtpl.sh). However, scripts/script.sh adds a broader 'AI and prompt engineering assistant' surface (prompt/system/compare/etc.) that is not documented in SKILL.md — this is extra functionality but not obviously malicious.
- Instruction Scope
- okSKILL.md instructs running bash scripts/emailtpl.sh to produce templates and to present/offer customization. The provided scripts produce static templates and guidance; they do not read unexpected system files or transmit data to external endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only with shipped scripts). No downloads or external installers are used.
- Credentials
- noteThe skill declares no required environment variables. The included script honors EMAIL_TEMPLATE_DIR and falls back to XDG_DATA_HOME/$HOME for storage; it also uses python3 for a small local calculation. No secrets or external service credentials are requested.
- Persistence & Privilege
- notescripts/script.sh creates a data directory (default: $XDG_DATA_HOME/email-template or $HOME/.local/share/email-template) and appends logs/history there. This is persistent state local to the user (not system-wide) — expected for a tool that keeps usage history but worth noting.