Skillv1.0.0

ClawScan security

Email Security · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, documentation, and runtime instructions are consistent with an email-security tool and do not request unrelated credentials or installers.
Guidance: This skill appears coherent and appropriate for protecting agents that handle email. Before installing, consider: (1) the scripts will read and write local files (e.g., references/owner-config.md) and can save attachments to disk — run them in an environment with only the minimum file-system permissions you allow; (2) the skill will prompt you to supply an owner email and persist it into the repo/config — verify this is acceptable and back up any existing owner-config.md you care about; (3) review blocked/allowed extensions in assets/security-config-template.json and parse_email.py (they block .py, .jar, etc.) to ensure policies match your needs; (4) although provider docs mention OAuth/API keys, the skill does not require credentials by default — if you adapt it to integrate with Gmail/IMAP/AgentMail, follow best practices for storing credentials (encrypted, scoped, rotated); and (5) if you plan to enable autonomous invocation, be aware the skill can be triggered by agent workflows — test with non-production mailboxes first. Overall, the bundle looks consistent with its stated purpose; review and test in a safe environment before production use.
Findings: [prompt-injection:ignore-previous-instructions] expected: SKILL.md and threat-patterns.md intentionally contain sample injection payloads (e.g., 'ignore previous instructions') because the skill detects such patterns. The pre-scan flag is a likely false positive in this context but is surfaced correctly by the scanner.

Review Dimensions

Purpose & Capability: okName/description (email security: sender verification, sanitization, attachment policy) match the included scripts and reference docs. The files present (parse_email.py, sanitize_content.py, verify_sender.py, provider references, policy templates) are appropriate and proportional to the stated purpose. No unexpected cloud credentials or unrelated binaries are requested.
Instruction Scope: okSKILL.md workflow confines actions to parsing EML content, verifying headers, sanitizing text, and applying attachment rules. The instructions do ask the agent to prompt for an owner email and update references/owner-config.md (i.e., write its own config), which is expected for a config-driven security tool. No steps instruct the agent to read unrelated system files or send data to external endpoints.
Install Mechanism: okNo install spec is provided (instruction-only installation), which minimizes supply-chain risk. Scripts are included in the bundle; they run locally and do not download remote artifacts or create installers. This is a low-risk delivery model.
Credentials: okThe skill declares no required environment variables or credentials. Provider docs reference normal credential handling (OAuth, API keys) as guidance only; the skill itself does not request them. That is proportionate to its described functionality.
Persistence & Privilege: okThe skill does not set always:true and uses normal autonomous invocation defaults. It does instruct the agent to persist the owner email into references/owner-config.md and agent memory (its own configuration file), which is reasonable for a security policy tool. It does not attempt to modify other skills or system-wide agent settings.