Skillv1.0.4

ClawScan security

Cold Email Prospecting Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 5:24 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (finding/verifying emails and phones) matches its instructions to call a third‑party RevoScale API and the single required credential; nothing in the files indicates hidden exfiltration or unrelated privileges, though there are a few metadata inconsistencies and privacy/third‑party risks to consider.
Guidance: This skill appears coherent: it calls a RevoScale API and requires a single REVOSCALE_API_KEY. Before installing, verify the RevoScale service (https://app.revoscale.io) is legitimate and acceptable for sending names/LinkedIn URLs and potential personal contact data. Confirm billing and privacy (what RevoScale stores/retains and whether unlimited usage claims are accurate). Also note minor metadata mismatches in the package (declared required env var in SKILL.md and claw.json vs. registry summary, and a version mismatch); consider asking the publisher for a homepage/source repo to increase confidence. If you cannot trust the third party with contact data, do not provide real personal or sensitive information to this skill.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes calling RevoScale endpoints (email-finder, email-verifier, personal-email-finder, mobile-phone-finder) which aligns with the skill name and description. Requiring a REVOSCALE_API_KEY is appropriate for this provider. Minor inconsistency: the top-level registry summary in the prompt said 'Required env vars: none' while claw.json and SKILL.md both require REVOSCALE_API_KEY; also claw.json version is 1.0.1 while registry metadata lists 1.0.4.
Instruction Scope: okSKILL.md instructs only to call the RevoScale API with user-provided names, domains, or LinkedIn URLs and to interpret returned fields. It does not instruct reading local files, unrelated env vars, or contacting other endpoints. It does, however, direct potentially sensitive personal data (names, LinkedIn URLs) to an external service — expected for this functionality but a privacy consideration.
Install Mechanism: okNo install spec or code files are present (instruction-only). This minimizes on-disk risk; nothing is downloaded or installed by the skill itself.
Credentials: noteThe skill needs a single API key (REVOSCALE_API_KEY), which is proportionate to calling a paid third-party API. Note the documentation claims 'Usage is unlimited' on paid plans (unusual — verify with provider). Also note the metadata inconsistency where the registry summary listed no required env vars while claw.json and SKILL.md declare the API key.
Persistence & Privilege: okalways is false and there are no instructions to modify other skills or system-wide settings. The skill does not request permanent elevated privileges.