Index Cards
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for mailing greeting cards, but users should notice it handles postal addresses, optional contact/calendar/email access, external API/Stripe flows, and optional saved contact data.
Before installing, be comfortable with an external service receiving mailing addresses and card content. Approve access to contacts, calendar, email, or saved address files only when needed, and confirm the preview, address, phone details, and payment/credits before any card is ordered.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the wrong card, address, or order is confirmed, the user could spend credits or send unwanted physical mail.
The workflow can culminate in a real-world mailing/order through the API; the confirmation step makes it purpose-aligned, but it is still a high-impact action.
"Show preview + summary → ask for confirmation → place order"
Review the preview, recipient details, address, and cost before approving any order.
Granting access could expose personal contacts, calendar/email context, or an API session associated with card activity.
The skill contemplates both service authentication and optional access to private local/account data sources; it frames these as permissioned and purpose-aligned.
"Never read contacts, messages, email, or local files without the user's explicit permission" and "Auth: anonymous Bearer token from POST /v1/auth/register"
Only approve the specific data source needed, and do not treat a general birthday request as approval to search all private sources.
The external card service receives recipient/address and card-context data needed to print and mail the card.
The skill sends personal delivery information and card content to an external provider and uses a hosted payment flow; this is disclosed and necessary for the service.
"Data sent to API: recipient name + mailing address (for card delivery), card artwork URLs, occasion text. Payments: via Stripe hosted checkout URLs"
Use the service only for recipients whose address you are comfortable sharing, and check the provider privacy policy before sending sensitive messages.
Saved addresses or birthdays could be used in future card workflows and may be outdated or more persistent than the user expects.
The skill may persist names, birthdays, and addresses locally for reuse; it is opt-in, but saved personal data can become stale or be reused later.
"Config path: ~/indexcards/birthdays.json (opt-in only — created only with explicit user consent, stores contact names/birthdays/addresses for card reuse)"
Opt in only if convenient, periodically review or delete the file, and confirm every saved address before ordering.