ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

EngageLab Email

v1.0.1

This skill is used to send emails via the EngageLab REST API. It supports regular sending, template sending, variable replacement, attachment handling, and s...

0· 202·1 current·1 all-time
by@devengagelab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, and code (scripts/send_email.py + api_spec) match: it's an email-sending client for EngageLab. However, the metadata declares no required environment variables or primary credential even though the code requires an API user and API key to authenticate with EngageLab. The absence of a declared credential is an incoherence.
Instruction Scope
The SKILL.md and included scripts focus on constructing and POSTing email payloads to EngageLab endpoints and handling attachments. The instructions do not ask the agent to read unrelated system files or network endpoints beyond the EngageLab API. Example code includes reading a local file only as an attachment example, which is within scope.
Install Mechanism
This is an instruction-only skill with bundled Python scripts (no install spec). Running the scripts requires Python and the 'requests' package, but the metadata does not declare that dependency. No remote downloads or obscure installers are used, so installation risk is low, but runtime prerequisites are not documented.
!
Credentials
The Python code requires sensitive credentials (api_user and api_key) to build Basic auth for the API, but the skill metadata lists no required env vars or primary credential. That mismatch increases the chance credentials will be supplied insecurely (e.g., pasted into prompts) or overlooked. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request persistent/global privileges (always is false) and does not modify other skills or global config. It runs as an on-demand helper; autonomy is allowed by default but not unusual.
What to consider before installing
This skill's code implements an EngageLab email sender and needs an api_user and api_key, but the skill metadata does not declare those credentials — that mismatch is the main red flag. Before installing or using it: (1) confirm the EngageLab endpoints and operator (no homepage is provided); (2) do NOT paste API credentials into chat prompts — instead provide them via whatever secret/env mechanism your platform supports; (3) ask the publisher to declare the required environment variables (e.g., ENGAGELAB_API_USER, ENGAGELAB_API_KEY) and a primary credential in the registry so the platform can manage them securely; (4) ensure the environment has Python and the 'requests' library or update the skill to declare dependencies; (5) test using sandbox mode and limited recipient addresses; and (6) review/verify the owner or source before granting the skill access to real credentials. If the publisher cannot justify the missing credential declarations or provide a trustworthy homepage/source, treat the skill cautiously.

Like a lobster shell, security has layers — review code before you run it.

latestvk973cdebeesxf4865g0spr1ncs833xnf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments