Back to skill
Skillv0.1.0
ClawScan security
Email Marketing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 13, 2026, 8:53 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only email-marketing playbook that is internally consistent with its stated purpose and does not request unusual permissions or install code.
- Guidance
- This skill is a text-only playbook and appears coherent for its stated purpose. Before using: (1) Do not paste sensitive credentials (SMTP/API keys) into the chat unless you trust and expect the skill to need them — the SKILL.md does not require any keys. (2) Follow privacy and anti-spam laws when building lists (consent, unsubscribe handling, GDPR/CAN-SPAM compliance). (3) Be cautious if the skill later asks to perform actions on external accounts — verify the exact API/credential usage and prefer creating limited-scope API keys. Overall, the skill is instruction-only and low-risk, but exercise normal care around credential sharing and regulatory compliance.
Review Dimensions
- Purpose & Capability
- okThe name/description (email campaign design, sequences, deliverability, copywriting) matches the SKILL.md content. There are no unrelated requirements (no cloud credentials, binaries, or platform-specific config) that would be unexpected for this kind of guide.
- Instruction Scope
- okThe instructions are a step-by-step marketing playbook (list building, sequence design, platform recommendations, copy guidance). They do not instruct the agent to read local files, access environment variables, call external endpoints, or exfiltrate data. They remain within the stated scope.
- Install Mechanism
- okThere is no install spec and no code to write to disk — lowest-risk model for a skill. Nothing is downloaded or executed by the skill itself.
- Credentials
- okThe skill does not request environment variables, keys, or config paths. That is proportional to an instruction-only marketing guide. (If later prompts request API keys or SMTP credentials from the user, that would be an interaction to treat cautiously.)
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent elevated privileges or attempt to alter other skills. Autonomous invocation is allowed (platform default) but there are no other privilege requests.