ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

EngageLab Omni Connect

v1.0.3

EngageLab Omnichannel communications tool (SMS, WhatsApp, Email) with template management and messaging capabilities.

1· 257·0 current·0 all-time
by@gptbots
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The six environment variables map directly to SMS, WhatsApp, and Email API credentials and are appropriate for an omnichannel messaging integration. One oddity: the package includes a second SKILL.md (ClawHub CLI) that documents a separate tool and declares a required binary ('clawhub') — this is unrelated to the EngageLab functionality and may be an accidental extra file.
Instruction Scope
SKILL.md gives concrete REST endpoints, parameter lists, and explicit Basic Auth usage with the declared env vars. It does not instruct reading arbitrary host files, other environment variables, or exfiltrating data to unknown endpoints. Multiple EngageLab domains are referenced (engagelab.com and engagelab.cc variants and a 'emailapi-tr' hostname) — likely legitimate but worth verifying.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk-write and supply-chain risk.
Credentials
The skill requests six credentials (key/secret pairs for SMS and WhatsApp, and user/API key for Email). This is proportional to supporting three independent channels. The SKILL.md uses those same env names and does not reference additional secrets.
Persistence & Privilege
always:false and no system-level config paths or binaries requested. The skill does not request forced/global persistence or elevated privileges.
Assessment
This skill appears internally consistent for sending SMS, WhatsApp, and Email via EngageLab APIs and requests the credentials you'd expect. Before installing: (1) verify you trust the publisher (source/homepage unknown); (2) confirm the API domains listed (engagelab.com / engagelab.cc / emailapi-tr.engagelab.com) are legitimate for your vendor; (3) provide least-privilege API credentials (separate keys for test vs production, limited scopes if supported) and be ready to rotate them; (4) test in a sandbox account to confirm endpoints and template behavior; (5) note the extra ClawHub SKILL.md file that seems unrelated — ask the publisher why it's included or remove it if you don't need it. If you need higher assurance, request the publisher's documentation or an official homepage and a signed vendor contact.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fyne65qp1wap5fyejce0kfs833d6b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvENGAGELAB_SMS_KEY, ENGAGELAB_SMS_SECRET, ENGAGELAB_WA_KEY, ENGAGELAB_WA_SECRET, ENGAGELAB_EMAIL_API_USER, ENGAGELAB_EMAIL_API_KEY

Comments