Listing Swarm
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent, but it needs review because it automates bulk public submissions and CAPTCHA solving while requesting email credentials and overstating some safety boundaries.
Install only if you are comfortable with an agent submitting public listings on your behalf and using a CAPTCHA-solving service. Do not use a personal mailbox; create a dedicated email account with an app password, review verification links before opening, and revoke credentials after use.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your agent may bypass anti-bot checks and submit public listings on many external sites, which could violate site rules or affect your product reputation.
The artifact explicitly instructs the agent to automate submissions and CAPTCHA handling across third-party sites, while acknowledging some targets may not allow automation.
For each directory, the agent: ... Handles captcha (using your API key) ... Submits the form ... Directory ToS - Some directories don't allow automated submission.
Use only where automation is allowed, prefer free/approved directories, and require review before each submission or CAPTCHA-solved action.
Users may provide email-account access even if they expected email verification to be optional.
The same artifact frames email access as optional but includes IMAP credentials in the required environment contract, expanding the credential boundary beyond the core listing task.
requires: env: ... IMAP_USER ... IMAP_PASSWORD ... IMAP_HOST ... Email Access for Auto-Verification (Optional)
Treat IMAP access as sensitive; use a dedicated mailbox/app password and ensure the skill can run without IMAP when manual verification is preferred.
A spoofed or unexpected email could cause the agent to open the wrong verification link or expose email content to the agent context.
The email-verification helper trusts a simple sender-domain search and returns the first verification-looking link from email content for automatic verification.
['FROM', fromDomain] ... links: this.extractLinks(parsed.html || parsed.text) ... link: email.links[0]
Validate sender domains and link domains strictly, show the verification link to the user before opening it, and avoid returning full email HTML/text unless needed.
Users may underestimate the risk of sharing a personal mailbox or long-lived app password.
The documentation describes IMAP credential use and inbox parsing as risk-free, which understates the real sensitivity of granting an agent email access.
Risk: None — it's YOUR email, YOUR credentials, YOUR server
Replace 'Risk: None' claims with clear limits, risks, and mitigations, especially dedicated mailbox use and revocation steps.
Setup may require installing packages whose versions and provenance are not specified in the skill artifacts.
The included code depends on external packages, but the artifact set has no install spec or package manifest declaring pinned dependencies.
const Imap = require('imap');
const { simpleParser } = require('mailparser');Provide a package manifest/lockfile or clear pinned dependency instructions.