ClawHub

articuler

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is a coherent networking assistant, but it sends email and LinkedIn/outreach details to Articuler's external API and uses a service token that users should handle carefully.

This skill appears benign and purpose-aligned. Before installing or using it, be comfortable sending your email address, LinkedIn profile URL, target LinkedIn URLs, and outreach goals to Articuler's API, and keep the returned token private.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

The agent may make external API requests as part of generating playbooks and emails.

Why it was flagged

The skill instructs the agent to use curl to call Articuler's external API. This is disclosed and core to the networking-assistant purpose.

Skill content
curl --location --request POST 'https://api.articuler.ai/user/artclaw/playbook'
Recommendation

Use the skill only when you intend to send the listed information to Articuler, and review API inputs before submission.

#
ASI03: Identity and Privilege Abuse
Low
What this means

Anyone with the token may be able to perform Articuler API actions for that session or account context.

Why it was flagged

The skill creates and uses an Articuler service token tied to the user's email verification and LinkedIn profile. This is expected for the service but is still authentication material.

Skill content
Log in with the user's email, captcha code, and LinkedIn profile URL. Returns a `token` required for all subsequent API calls.
Recommendation

Do not share the token unnecessarily, avoid storing it in public logs or files, and regenerate or revoke it if exposed.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Personal and professional relationship data may be processed by Articuler's service.

Why it was flagged

The skill sends the user's email, the user's LinkedIn profile, a target contact's LinkedIn profile, and the outreach objective to an external provider.

Skill content
"email": "your@email.com", "linkedin_url": "https://www.linkedin.com/in/your-profile/" ... "target_linkedin_url": "https://www.linkedin.com/in/your-target-profile/", "objective": "Want to be a partner"
Recommendation

Share only information necessary for the task, consider the privacy expectations of target contacts, and review Articuler's privacy terms before use.