Ahc Automator

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: ahc-automator Version: 1.0.0 The skill is classified as suspicious due to its use of powerful system interaction capabilities, which, while potentially legitimate for its stated purpose, carry inherent risks. Specifically, `scripts/setup.py` modifies the user's shell profile (`.zshrc`, `.bash_profile`) to set environment variables, a high-privilege action that could be misused if untrusted input is provided. Additionally, `scripts/ahc_utils.py` utilizes `subprocess.run` with `osascript` to interact with Apple Mail, granting access to local application data, which is a powerful vector that requires careful scrutiny, even if the current implementation appears to mitigate direct injection from email content. There is no clear evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints or stealthy backdoors, but these capabilities elevate the risk beyond benign.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernMedium Confidence

ASI02: Tool Misuse and Exploitation

What this means

A keyword-matching email in the monitored mailboxes could create tasks, contacts, or deals in AHC systems without review.

Why it was flagged

Recent email content is used to trigger ClickUp task creation and Pipedrive deal creation automatically. The shown workflow does not include a human approval step or clear sender-authentication check before mutating business systems.

Skill content

for email in emails:
    self.process_single_email(email)
...
if self.email_parser.contains_keywords(email, 'clickup'):
    self.handle_clickup_request(email)
...
task_result = self.clickup.create_task(...)
...
deal_result = self.pipedrive.create_deal(...)

Recommendation

Add sender allowlists, deduplication, preview/approval for writes, and a rollback or audit process before creating or updating ClickUp/Pipedrive records.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

If installed with broad API tokens, the skill can create or modify business records in ClickUp and Pipedrive.

Why it was flagged

The skill uses ClickUp and Pipedrive API tokens to act on connected business accounts. This is expected for the stated integration, but users should notice the delegated authority.

Skill content

self.api_token = self.config.get_env_or_config('CLICKUP_API_TOKEN', 'clickup', 'api_token')
...
'Authorization': f'Bearer {self.api_token}'
...
self.api_token = self.config.get_env_or_config('PIPEDRIVE_API_TOKEN', 'pipedrive', 'api_token')

Recommendation

Use least-privilege tokens where possible, keep tokens out of shared logs or shell profiles, and ensure the registry metadata clearly declares required credentials.

NoteHigh Confidence

ASI10: Rogue Agents

What this means

Once scheduled, the automation may continue processing emails and making business-system changes until the cron jobs are disabled.

Why it was flagged

The skill is designed to work with recurring background monitoring rather than only one manual run. This persistence is disclosed, but it affects ongoing business workflows.

Skill content

Email monitoring is handled by existing cron jobs:
- Ian: `ian@alanharpercomposites.com.br` (Every 5 minutes)
- Ronaldo: `ronaldoaibot@gmail.com` (Every 5 minutes)

Recommendation

Confirm which cron jobs are active, document how to pause or remove them, and monitor the logs after installation.