Back to skill
Skillv1.0.0
ClawScan security
Lead Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 3, 2026, 2:18 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions call for using Google APIs, website builders, and SMTP services (which require credentials and explicit configuration), but the package declares no required credentials or install steps and leaves broad, vague instructions — this mismatch is concerning.
- Guidance
- Do not install or grant credentials to this skill until the author clarifies several things: (1) a precise list of required environment variables and the exact scopes/permissions for each (Google Maps/Places API keys, SendGrid/Postmark API key or SMTP creds, Square/site-builder credentials), (2) where lead data will be stored, retention and access controls, and whether leads have consented to being scraped/contacted, (3) exact endpoints and templates the skill will call or publish to, and (4) whether there is source code you can review (right now there is only high-level prose). If you must test, give least-privilege, revocable test credentials and isolate the skill from any production accounts. Ask the publisher for code or an installable package that explicitly declares the env vars and shows how credentials are used; that would materially reduce the concern.
Review Dimensions
- Purpose & Capability
- concernThe description and SKILL.md legitimately require access to external services (Google Maps/Places, Squareup, SendGrid/Postmark) to function, but the skill declares no required environment variables, primary credential, or config paths. That omission is incoherent: those services need API keys/credentials.
- Instruction Scope
- concernThe runtime instructions direct broad actions (lead scraping, auto-generating per-lead websites, sending personalized email campaigns, and automated follow-ups) but are high-level and grant wide discretion. They do not specify where data is stored, how consent/privacy is handled, or what exact APIs/endpoints are used, which increases the risk of unwanted data collection or exfiltration.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files — lowest install risk because nothing is written to disk by the skill package itself.
- Credentials
- concernThe instructions imply the need for multiple sensitive credentials (Google API keys, SMTP/SendGrid API keys, Square/Site-builder credentials) but none are declared. Requesting such secrets without explicitly listing them and the scopes required is disproportionate and unclear.
- Persistence & Privilege
- okThe skill does not request always:true or other elevated platform persistence. Agent autonomous invocation is allowed by default (disable-model-invocation is false), which is normal — combine this with the other concerns (credentials unclear, broad scope) when deciding.