Skillv1.0.0

ClawScan security

Clawdbot For Vcs · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 12:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement a coherent VC email/CRM/calendar workflow, but the skill's declared metadata omits required credentials/tools and the SKILL.md contains a detected prompt-injection pattern — review before installing.
Guidance: What to consider before installing: - Verify the source and repo: the package lists no homepage/source; prefer skills with a public repository and maintainer contact. Ask the publisher for the canonical GitHub URL. - Expect to grant wide data access: the skill needs Gmail/Calendar OAuth and an Affinity API key to function. These are necessary for triage/CRM integration, but only provide them if you trust the package and maintainer. - Manifest mismatch: the registry metadata declares no env vars or binaries, yet the docs require 'gog', AFFINITY_API_KEY, and a GOG_KEYRING_PASSWORD. Ask the maintainer to update the skill manifest to declare these requirements before installing. - Prompt-injection flag: the SKILL.md contains text matched by a prompt-injection detector. Open and search SKILL.md/BOOTSTRAP.md for any lines like 'ignore previous instructions' or similar and remove or clarify them. Do not install if the docs instruct the agent to disregard platform safeguards. - Least privilege & testing: initially run in review-only mode (agent should only create drafts and never send). Use test/limited accounts where possible (a separate Affinity account or limited API key) and confirm the skill only performs expected API calls (label creation, draft creation, note creation). - Secret handling: avoid pasting long-lived secrets into files that are world-readable; store API keys in a secure credential store. Consider rotating keys after testing. - Verify third-party tools: confirm the gog CLI repo and its maintainers before 'go install'. If you prefer, run commands manually rather than giving the skill full automation until you have validated behavior. If you want, I can: (1) point to the exact lines in SKILL.md that reference 'ignore-previous-instructions' and other injection-like text; (2) draft questions to ask the package maintainer to clarify the manifest; or (3) list specific tests to run in a sandbox before granting production credentials.
Findings: [ignore-previous-instructions] unexpected: The regex scanner found an 'ignore-previous-instructions' prompt-injection pattern inside SKILL.md. For a workflow/automation skill that should be 'safe by default', such a pattern is unexpected and could be an attempt to change agent instruction boundaries; inspect SKILL.md for any lines that attempt to override agent/system instructions and remove them.

Review Dimensions

Purpose & Capability: noteThe SKILL.md and supporting docs clearly implement a VC partner workflow (email triage, Affinity CRM, calendar, memo generation) which matches the skill name. However the registry metadata declares no required env vars or binaries while the documentation instructs the user to install the gog CLI and set AFFINITY_API_KEY and GOG_KEYRING_PASSWORD — a mismatch that should have been declared in the skill manifest.
Instruction Scope: concernThe runtime instructions direct wide access to user data (read/search Gmail messages and attachments, manage Gmail labels and drafts, access Google Calendar, and call the Affinity API). That scope is appropriate for a triage/CRM skill, but the SKILL.md also contains content flagged by the scanner as a prompt-injection pattern (e.g., 'ignore-previous-instructions' detected). Prompt-injection strings embedded in skill docs can attempt to manipulate agent behavior; this is a meaningful red flag and should be inspected and removed or explained.
Install Mechanism: okThis is an instruction-only package with no install spec; the BOOTSTRAP.md recommends installing the gog CLI via 'go install' (a standard, moderate-risk operation). No archived downloads or opaque installers are used. Still verify the gog repo/source before installing and prefer installing via verified release channels.
Credentials: concernThe skill does need sensitive credentials (Affinity API key, OAuth for Gmail/Calendar and a gog keyring password) to function — those are proportionate to its purpose. However the manifest/registry metadata fails to declare these required env vars and config paths. That omission reduces transparency and is suspicious: the skill may rely on or request secrets without declaring them to the platform.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. Its documentation instructs copying templates into the user's Clawdbot workspace (local files) and storing environment variables in shell rc files — standard for this type of tool. There is no indication it modifies other skills or system-wide agent settings.