ClawHub

EDM Email Manager (via Kanban Plugin)

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only email marketing workflow whose local storage, Resend sending, dashboard tracking, and companion plugin requirement are disclosed and fit its stated purpose.

Install only if you are comfortable reviewing and trusting the separate `claw-kanban` plugin. Treat mailing lists, Resend keys, dashboard keys, campaign HTML, and engagement analytics as sensitive data; use consented recipients, verify legal/compliance requirements, and preview the full campaign before confirming any send.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly says it stores brand identity and mailing-list data locally in `.claw-kanban/edm/brand.json` and `audience.json`, but it does not clearly warn the user that potentially sensitive business and recipient information will be written to disk. This can lead users to expose personal or confidential data on shared machines, in backups, or in source-controlled directories without informed consent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill states that emails are sent via Resend and campaign IDs / tracking data are linked to an external dashboard, but it does not clearly disclose that campaign and recipient data may be transmitted to third-party services. In an email-marketing context, this omission is especially risky because recipient addresses, engagement metadata, and campaign content may be subject to privacy, consent, and regulatory requirements.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal