Back to skill
Skillv1.0.0
ClawScan security
professional-email-writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 3:18 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only email drafting helper that requests no credentials, installs no software, and its runtime instructions match the described purpose.
- Guidance
- This skill is low-risk as-is: it only provides templates and examples and does not ask for credentials or install software. Before installing, consider that the publisher/source is unknown (no homepage) — verify reputation if possible. Treat any prompts or outputs as drafts: avoid pasting sensitive data (passwords, account numbers, or private keys) into the skill input, review/edit generated emails before sending, and be cautious if a future update requests SMTP/email account credentials or network access.
Review Dimensions
- Purpose & Capability
- okName, description, and SKILL.md all describe an email-drafting assistant and the skill does not request unrelated access (no env vars, no installs). Note: the package/source is marked 'unknown' and has no homepage, so publisher provenance cannot be verified — this is a provenance concern but does not make the capability incoherent.
- Instruction Scope
- okSKILL.md only contains prompts, templates, examples, trigger keywords, and usage instructions for composing emails; it does not instruct the agent to read system files, access environment variables, transmit data to external endpoints, or perform unrelated actions.
- Install Mechanism
- okNo install spec and no code files (instruction-only). Nothing is written to disk or downloaded during install, which minimizes supply-chain risk.
- Credentials
- okRequires no environment variables, credentials, or config paths — exactly what you'd expect for a drafting/template skill. If future versions add SMTP or mailbox integration, those credential requests should be scrutinized.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modify other skills. Autonomous invocation is allowed by default but this skill's lack of credentials or network install reduces blast radius.