PandaDoc
PassAudited by ClawScan on May 6, 2026.
Overview
The skill appears legitimate for PandaDoc use, but it requires trusting ClawLink and approving PandaDoc access before it can change documents.
Before installing, make sure you trust the ClawLink plugin and the claw-link.dev domain, review the PandaDoc OAuth permissions, never paste raw credentials into chat, and confirm previews carefully before allowing document or workflow changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user approves the wrong preview, the agent could create or alter PandaDoc documents, folders, attachments, or workflows.
The skill can invoke PandaDoc write tools through ClawLink, but it explicitly requires preview and user confirmation before writes.
For writes or anything marked as requiring confirmation, call `clawlink_preview_tool` first, then confirm with the user. Execute with `clawlink_call_tool`.
Review each preview carefully, especially for bulk, destructive, or external-facing workflow actions.
Connected ClawLink tools may be able to act with the PandaDoc permissions the user grants.
The skill relies on OAuth authorization to let ClawLink act against the user's PandaDoc account.
ClawLink's hosted page runs the hosted OAuth flow — the user clicks through the PandaDoc login and authorization screen.
Approve only the permissions you expect, use least-privilege accounts where possible, and revoke the ClawLink/PandaDoc connection when no longer needed.
The actual plugin implementation and updates are outside this skill review.
The reviewed skill has no code, but its operation depends on an external plugin that is not included in these artifacts.
Install the verified ClawLink plugin: `openclaw plugins install clawhub:clawlink-plugin`
Install the plugin only from the expected ClawHub source and verify ClawLink's source or publisher if your environment requires supply-chain review.
PandaDoc-related requests and tool actions may pass through ClawLink as part of the integration flow.
The skill routes tool discovery and execution through a third-party integration gateway, so tool metadata and requests depend on ClawLink.
ClawLink provides tools dynamically based on what the user has connected. You do not need to know tool names or schemas in advance.
Use the official ClawLink domain, avoid pasting raw credentials into chat, and ensure your organization is comfortable with ClawLink as the integration intermediary.