ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

React Email Skills

v1.1.0

Use when creating HTML email templates with React components - welcome emails, password resets, notifications, order confirmations, newsletters, or transacti...

0· 3.7k·10 current·13 all-time
byChristina Martinez@christina-de-martinez
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the content: all files are documentation and examples for creating HTML email templates with React (components, patterns, styling, sending examples). Nothing in the files suggests a different purpose.
!
Instruction Scope
The SKILL.md and referenced docs instruct the user/agent to run commands that scaffold projects (npx/create-email), install dependencies, run a local dev server, copy static files, and verify localhost:3000. Additionally the sending docs include example code that reads process.env (e.g., process.env.RESEND_API_KEY, SENDGRID_API_KEY, SMTP_USER/SMTP_PASS) and npx commands that require interactive setup. The skill metadata declares no required env vars, yet the instructions reference and demonstrate use of several credentials — this mismatch should be clarified. The instructions also advise uploading templates and running CLI tooling that will fetch code from npm when invoked (npx), so users should review those remote artifacts before execution.
Install Mechanism
This is instruction-only (no install spec). That lowers the static risk surface. However, the instructions tell users/agents to run npx/yarn/pnpm/bun commands which will download and execute code from public package registries (npm/bun). This is expected for a scaffolding workflow but does mean running the commands will pull remote code at runtime — review what those packages do before running in a privileged environment.
!
Credentials
The skill metadata lists no required environment variables, yet the included sending examples reference multiple secrets (RESEND_API_KEY, SENDGRID_API_KEY, SMTP_USER, SMTP_PASS) and use process.env.NODE_ENV to choose image base URLs. Requesting or using these credentials is reasonable for sending emails, but the documentation should have declared them. If the agent or environment exposes secrets, these instructions could cause credential use or accidental leakage without the skill explicitly declaring them.
Persistence & Privilege
No persistence requested. always is false, no config paths or install scripts are included. The skill does not request permanent presence or modify other skills according to the manifest.
What to consider before installing
This skill is basically documentation and examples for building React-based email templates — that matches its name. However, review these points before installing or running any commands: 1) The docs include examples that require API keys (Resend, SendGrid) and SMTP credentials but the skill does not declare any required env vars; only provide secrets when you explicitly need to send emails and ensure they are stored securely. 2) The runtime instructions tell you to run npx/create-email and other package managers — those commands download and execute code from npm (remote packages). Inspect the package(s) or run them in an isolated environment if you’re unsure. 3) The examples reference process.env.NODE_ENV and other env variables — confirm your agent runtime will not expose unrelated secrets. 4) If you plan to allow the agent to execute shell commands, review each suggested command and prefer running them manually the first time. If you want lower risk, keep this skill as a read-only reference and avoid giving it access to your credentials or the ability to run arbitrary shell commands. If you need, ask the skill author to explicitly declare required env vars and clarify which commands the agent will run autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk977mw2chh7n0r8pfj32m3xtjn84ns4c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments