Skillv3.6.7

ClawScan security

☤CaduceusMail · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 4:53 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested files, binaries, and environment variables are consistent with its stated purpose (managing Microsoft 365/Exchange and Cloudflare DNS); the wrapper carefully verifies a vendored release, restricts runtime environment, and documents the high privileges it requires.
Guidance: This skill appears internally consistent with its stated purpose, but it will receive high-privilege credentials (Azure/Entra client secret and a Cloudflare token) which the vendored node CLI can use at runtime. Before installing or enabling: 1) Verify you trust the vendored release artifact (review vendor/caduceusmail-3.6.7.tgz contents and the pinned repository/commit in vendor/caduceusmail-release.json). 2) Use a dedicated least-privilege Entra service principal scoped only to the required Graph/Exchange roles and a Cloudflare token limited to the single zone. 3) Keep CADUCEUSMAIL_ALLOW_EXTERNAL_SCRIPT_RESOLUTION unset (default 0) unless you explicitly need it. 4) Consider running the wrapper's doctor command in a safe/test environment first to observe behavior. If you cannot or do not want to trust the vendored CLI code, do not provide production credentials to this skill.

Review Dimensions

Purpose & Capability: okThe name/description (M365/Exchange + Cloudflare DNS mailbox/domain automation) maps directly to the env vars requested (ENTRA_* for Azure/Graph, EXCHANGE_*, ORGANIZATION_DOMAIN, CLOUDFLARE_*). Required binaries (bash, node, python3) are used by the wrapper for verification and to run the vendored CLI; jq is declared in metadata (and is harmless if present). The request for high-privilege secrets is proportional to the declared operations (Graph app roles, Exchange RBAC, DNS mutations).
Instruction Scope: noteSKILL.md instructs running the included run.sh wrapper which: verifies/extracts a vendored tarball, creates a private state directory, and execs the vendored node CLI with a sanitized environment (env -i + explicit allow-list). The wrapper intentionally forwards only a focused set of env vars (plus any CADUCEUSMAIL_/OPENCLAW_*/EMAIL_ALIAS_FABRIC_* vars). This grants the vendored CLI full access to the service credentials you provide (ENTRA_CLIENT_SECRET, CLOUDFLARE_API_TOKEN) — which is expected, but you should understand the node process receives these secrets at runtime. The SKILL.md also documents the security posture and the external-script-resolution opt-in flag.
Install Mechanism: okThere is no network install at runtime; the skill vendors a tarball and a release manifest. The wrapper verifies SHA-1 and a pinned sha512 integrity value, prevents path-traversal during extraction, and sets restrictive permissions. No downloads from untrusted URLs occur by default. The code performs an on-disk install under a user-local XDG_DATA_HOME path.
Credentials: okThe set of required environment variables directly correspond to the Microsoft/Exchange and Cloudflare operations the tool performs. The skill legitimately needs Entra/Azure client id/secret and Cloudflare token/zone id. The wrapper does read and forward a handful of general host env vars (HOME, PATH, LANG, SSH_*, TMP*), but it uses env -i to avoid leaking the full host environment and only forwards explicitly enumerated values. The documentation explicitly recommends least-privilege service principals and limited Cloudflare tokens.
Persistence & Privilege: okThe skill is not always-enabled, model invocation is allowed (normal), and runtime state is confined to a skill-owned directory (~/.caduceusmail and XDG_DATA_HOME/toolchains) with owner-only permissions. The skill may perform high-privilege Cloud/M365 operations by design, but it does not request system-wide or other-skills credentials, nor does it modify other skills' configuration. External script resolution is opt-in (default off).