ClawHub

sensorpro.app

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill is aligned with managing Sensorpro, but it exposes broad email-marketing and account-changing API actions without clear approval or scope limits.

Install only if you want OpenClaw to manage your Sensorpro account. Use a dedicated least-privilege API user, keep the API key and password out of source control, and require manual review before sends, imports, deletes, opt-out/status changes, or account/user changes.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High
#ASI02: Tool Misuse and Exploitation
What this means

A mistaken or over-permissive agent action could send messages, alter mailing lists, delete contacts, change consent status, or modify account users.

Why it was flagged

These raw API capabilities can change subscriber records, opt-out status, send emails, and modify account structure. The artifact does not pair these high-impact actions with explicit user confirmation, scoping, dry-run, or rollback requirements.

Skill content
Contacts ... `ChangeStatus`, `ChangeOptOutStatus`, `DeleteContacts`, `ForgetMe` ... Campaigns + sending ... `AddCampaign`, `AddDesign`, `AddSegment`, `AddBroadcast` ... Relay Email ... `SendEmail` ... Account ... `AddSubOrganization`, `AddUpdateUser`
Recommendation

Require explicit user approval before any send, delete, opt-out/status change, import, or account-management call, and limit the API user to the minimum Sensorpro permissions needed.

Medium
#ASI03: Identity and Privilege Abuse
What this means

Anyone or any agent process with these environment variables can authenticate to Sensorpro within the API user's permissions.

Why it was flagged

The skill openly requires Sensorpro API credentials and recommends a dedicated API user. This is expected for the integration, but it gives the agent delegated access to the Sensorpro account.

Skill content
requires:\n      env: ["SENSORPRO_API_KEY","SENSORPRO_ORG","SENSORPRO_USER","SENSORPRO_PASS"] ... Create a dedicated **API user** in Sensorpro
Recommendation

Use a dedicated least-privilege API user, store secrets only in the OpenClaw environment, rotate exposed keys, and avoid granting account-management permissions unless required.