ClawHub

EngageLab Email

WarnAudited by ClawScan on May 18, 2026.

Overview

This email skill mostly matches its stated purpose, but its sender script appears to put the EngageLab API credential into the email payload headers, which could expose the account key.

Review or fix scripts/send_email.py before installing or using this skill with real EngageLab credentials. If you proceed, use a restricted/rotatable API key, test only in sandbox mode first, and manually verify recipients, content, attachments, tracking, and live-send settings before each send.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High
#ASI03: Identity and Privilege Abuse
What this means

A real EngageLab API key could be exposed through outbound message metadata or provider-side payload handling, putting the sending account at risk.

Why it was flagged

The same local variable used for the HTTP Authorization header is later inserted into the email payload's headers field, so the Basic api_user:api_key value can be included in custom email headers or stored in message payload logs instead of being used only for API authentication.

Skill content
headers = {"Content-Type": "application/json;charset=utf-8", "Authorization": f"Basic {encoded_auth}"}
...
if headers:
    mail_body["headers"] = headers
Recommendation

Do not use the helper with real credentials until fixed. Separate HTTP headers from email custom headers, never include Authorization in the mail body, and rotate any API key already used with this script.

Low
#ASI02: Tool Misuse and Exploitation
What this means

An incorrect prompt or configuration could send messages, attachments, or tracking settings to the wrong recipients.

Why it was flagged

The skill intentionally enables live email sending with attachments and delivery settings; that is purpose-aligned but can affect recipients and account reputation if used without review.

Skill content
Use this skill when you need to send emails, manage email templates, handle email attachments, or configure email sending behavior.
Recommendation

Use sandbox mode for tests and require explicit user confirmation of recipients, sender, content, attachments, and live-send settings before any real email is sent.