Back to skill
Skillv1.1.0
ClawScan security
Openclaw Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 10:04 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (finding/enriching business leads) matches its runtime instructions and required credential (EEF_API_KEY); it is an instruction-only integration that calls the Easy Email Finder API and does not request unrelated access.
- Guidance
- This skill is internally coherent, but before installing: (1) confirm you trust the Easy Email Finder service and review its privacy/terms (the skill will transmit queries and website URLs to that external API); (2) keep your EEF_API_KEY secret and scoped/rotated as appropriate; (3) be aware enrich calls consume paid credits and are rate-limited; and (4) verify the skill publisher/source since registry metadata shows no homepage while SKILL.md references easyemailfinder.com.
Review Dimensions
- Purpose & Capability
- okName/description promise (search/enrich businesses with emails, tech stack, social links) aligns with the single required credential (EEF_API_KEY) and the API endpoints documented in SKILL.md. There are no extra binaries, config paths, or unrelated credentials requested.
- Instruction Scope
- okSKILL.md is explicit about endpoints, request formats, authentication, rate limits, and credit costs. It only instructs the agent to call https://easyemailfinder.com API endpoints and to read the EEF_API_KEY env var; it does not instruct the agent to read other files, environment variables, or system paths.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes on-disk risk; nothing is downloaded or executed by the skill itself.
- Credentials
- okOnly one environment variable is required (EEF_API_KEY) and it is the documented bearer token for the API. The credential request is proportionate to the skill's stated purpose and is declared as the primary credential.
- Persistence & Privilege
- okalways is false (default) and the skill makes no claims to modify agent/system settings. Autonomous invocation is allowed (platform default) but not combined with other privilege-escalating factors.