v0.3.2

Smartlead

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:32 AM.

Analysis

The skill is coherent for Smartlead management, but it grants high-impact Smartlead account access and includes webhook/agent automation plus a setup helper that can enable an unreviewed local plugin.

GuidanceReview this skill before installing if your Smartlead account contains sensitive lead or campaign data. Use a dedicated least-privileged API key, require explicit approval for any lead or webhook changes, verify the openclaw-smartlead plugin source before running setup.sh, and configure webhook secrets/tokens before exposing the webhook endpoint.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Use `smartlead` CLI commands to manage campaigns, leads, webhooks, and message history... `smartlead campaigns leads patch ...` ... `smartlead webhooks upsert ...`

The skill documents commands that can change lead records and create or update campaign webhooks. These are purpose-aligned, but they are high-impact business-account mutations and the artifacts do not define an approval boundary for write operations.

User impactAn agent using this skill could change Smartlead lead data or webhook configuration if it decides a request or hook prompt requires it.

RecommendationRequire explicit user confirmation for patch, update, upsert, raw, or other write operations; prefer read-only commands for automated workflows; and use the least-privileged Smartlead API key available.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

setup.sh

PLUGIN_DIR="/home/worker/code/openclaw-smartlead" ... openclaw plugins install -l "$PLUGIN_DIR" || true ... openclaw plugins enable smartlead || true

The setup helper can install and enable a linked OpenClaw plugin from a hard-coded local directory that is not included in the provided file manifest, so the plugin code and provenance are not reviewable from the artifacts.

User impactRunning the setup helper could enable plugin behavior beyond the reviewed SKILL.md and setup.sh contents.

RecommendationDo not run setup.sh until you have verified the referenced plugin directory and source; prefer a pinned, packaged plugin included in the manifest; and avoid silently ignoring plugin install/enable failures.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Credentials are resolved in order: `~/.config/smartlead-cli/config.toml` → env vars → CLI flags. Required: `SMARTLEAD_API_KEY`

The skill requires Smartlead credentials and may also use a local config file. This is expected for a Smartlead CLI integration, but it gives the agent account-level authority according to whatever permissions the key has.

User impactThe agent can access Smartlead data and perform actions allowed by the configured API key.

RecommendationUse a scoped or dedicated API key, rotate it if exposed, and avoid using a broad admin credential unless the agent genuinely needs that level of access.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

setup.sh

"webhookSecret": "<optional-smartlead-secret>", "inboundWebhookPath": "/smartlead/webhook" ... "action": "agent", "wakeMode": "now" ... "deliver": true, "channel": "slack"

The setup example exposes a webhook path that can wake an agent and deliver Slack messages, while the webhook secret is shown as optional. This creates a sensitive provider-to-agent-to-channel flow whose origin authentication and data boundary depend on user configuration.

User impactIf the webhook endpoint is reachable without strong validation, external events could trigger agent activity or cause lead information and conversation summaries to be sent to a channel.

RecommendationRequire a webhook secret and hooks token, restrict public exposure where possible, validate event origin, treat webhook/email fields as untrusted data, and disable automatic delivery if review is required.