Skillv1.0.1

ClawScan security

SalesClaw | Reach out to 5 existing contacts per day · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 8:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behaviour (registering bots, issuing and storing API keys, and autonomously sending email) is plausible for an email-outreach tool, but the metadata and instructions are inconsistent and leave the agent wide discretion to access contacts and send messages without clearly declared credentials or safeguards.
Guidance: This skill lets the agent create an autonomous email identity at sendclaw.com, obtain and store an API key, and send/receive emails without a declared credential in the metadata — that mismatch is concerning. Before installing, consider: (1) Require that you (the human) explicitly provide and review the API key rather than letting the agent register and store it automatically. (2) Limit or require explicit approval before the agent sends any outgoing messages (do not allow fully autonomous sends by default). (3) Decide and document exactly where the agent may get contact lists (explicit upload or a specific address book) to avoid the agent searching arbitrary files. (4) Verify sendclaw.com's legitimacy, privacy policy, and security practices before delegating email sending. (5) Do not share claim tokens or API keys publicly; treat them like passwords. These steps will reduce the risk of accidental spamming, impersonation, or credential leakage.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes an email-sending/receiving service (register a bot, get an apiKey, send/receive emails) which matches the advertised purpose of doing automated outreach. However, the skill metadata declares no required credentials or primary credential even though the runtime explicitly requires an API key and ownership/claim steps. Also the description claims 'reach out to 5 existing contacts per day' but the doc does not specify how the agent should obtain or be limited to the user's existing contacts.
Instruction Scope: concernThe runtime instructions direct the agent to register a new email identity at sendclaw.com, store the returned apiKey, and autonomously send and reply to emails. They permit the agent to manage an inbox and 'send emails autonomously when needed.' The instructions are vague about where contacts come from, which gives the agent broad discretion (it could search the user's files, address books, or email history unless constrained elsewhere). The skill also encourages sharing a claim token and doing verification steps that, if mishandled, could leak tokens or keys.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing will be written to disk by an install step. This minimizes install-time risk.
Credentials: concernThe SKILL.md requires and instructs saving an API key ('X-Api-Key' / 'Authorization: Bearer ...') returned by the service, but the registry metadata lists no required environment variables or primary credential. That mismatch is a coherence problem: the agent will need to store/use a secret even though none are declared. The skill also requests no other credentials, which is reasonable, but the omission of the apiKey requirement in metadata reduces transparency and prevents pre-install vetting of required secrets.
Persistence & Privilege: notealways:false (default) and model invocation is enabled (default). Autonomous invocation combined with the ability to send external emails increases potential impact (spam, impersonation, data exfiltration via messages). This is expected for a mail-sending skill but the documentation lacks explicit user-approval checkpoints or safeguards, so the privilege should be considered sensitive.