EngageLab Omni Connect
ReviewAudited by ClawScan on May 10, 2026.
Overview
The EngageLab messaging instructions are mostly coherent, but the package can send external messages without clear confirmation limits and unexpectedly includes a separate ClawHub skill-management tool.
Review carefully before installing. Only use this with scoped EngageLab credentials, require a manual confirmation step before sending any SMS/WhatsApp/email or changing templates, and remove or ignore the unrelated bundled ClawHub CLI skill unless you intentionally want skill install/update/publish capabilities.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could send real SMS, WhatsApp, or email messages that may cost money, reach unintended recipients, or create spam/compliance issues.
The skill directs the agent to send SMS messages to collected recipients, and the provided artifacts do not define an explicit final user confirmation step, recipient scope, rate limit, or consent/compliance guardrail.
Workflow ... 2. **Collect Data**: Get recipient numbers and variable values. 3. **Send**: Construct the JSON payload and POST to the endpoint.
Require explicit user approval before every send or template mutation, display recipients and message content before sending, and add limits for bulk or marketing use.
If loaded or followed, the extra skill could give the agent instructions for installing, updating, or publishing skills, expanding the package’s effect beyond EngageLab communications.
The package for an EngageLab communications skill contains a separate ClawHub skill-management skill, which is not disclosed by the EngageLab description and is not purpose-aligned with sending messages.
name: clawhub description: Use the ClawHub CLI to search, install, update, and publish agent skills from clawhub.com.
Remove the unrelated nested ClawHub skill from this package or clearly separate and disclose it as its own skill with its own review and install metadata.
Anyone or any agent with access to these environment variables may be able to send messages or manage templates through the EngageLab account.
The skill requires provider credentials for SMS, WhatsApp, and Email API access. This is expected for the integration, but the credentials enable real account actions.
All API requests must include an `Authorization` header. Format: `Basic ${Base64(dev_key:dev_secret)}` ... Use `ENGAGELAB_SMS_KEY` and `ENGAGELAB_SMS_SECRET`.Use least-privilege EngageLab keys where possible, rotate keys if exposed, and avoid installing this skill in environments where unrelated agents can access the same credentials.