Skillv1.0.0

ClawScan security

Email check and vaildation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 22, 2026, 10:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it documents a single third‑party email-validation API, only requests that service's API key, and its instructions match the stated purpose.
Guidance: This skill appears coherent and implements a straightforward third-party email-validation call, but be aware it will send any email addresses you ask it to validate to apipick.com (these are potentially personal data). Provide the APIPICK_API_KEY via a secure mechanism (do not paste keys into public chat), monitor credits and API usage, and review apipick.com's privacy policy before validating sensitive addresses. If you need an on‑prem or local validation (to avoid sending PII externally), prefer a different tool that performs DNS/MX checks locally instead of calling an external API.

Purpose & Capability: okName/description match the declared requirements: the skill only needs APIPICK_API_KEY and describes calling apipick.com's email-check endpoint — nothing extraneous is requested.
Instruction Scope: noteSKILL.md instructs the agent to POST the user-supplied email to https://www.apipick.com/api/check-email using the APIPICK_API_KEY; this is appropriate for the stated purpose but will transmit any validated email addresses (PII) to the third-party API.
Install Mechanism: okInstruction-only skill with no install spec and no bundled code — nothing is written to disk or downloaded during install.
Credentials: okOnly a single environment variable (APIPICK_API_KEY) is required, which directly corresponds to the documented API authentication; no unrelated credentials or config paths are requested.
Persistence & Privilege: okalways is false and the skill does not request elevated or system-wide persistence; autonomous invocation is allowed by default and is not excessive here.