Clawmart Skills Empire
PassAudited by ClawScan on May 10, 2026.
Overview
No hidden malicious code is evident, but this is mostly a marketing/template kit with over-promised functionality and some setup/credential guidance that users should verify.
Install this only if you want a documentation/template starter kit. Before deploying or selling anything based on it, verify the missing implementation, inspect any dependency files, keep API keys out of shared config files, and add safeguards for scraping, trading, CRM, or outreach workflows.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could over-trust the marketing claims and try to sell or deploy incomplete skills.
The reviewed package contains Markdown templates and a demo script that only prints marketing text, so users should not assume complete runnable source code exists without verifying.
What Buyers Get - ✅ 5 premium skill templates ... ✅ Full source code ... ✅ Demo scripts
Treat this as a starter/template kit unless you inspect and implement the missing functionality yourself; avoid making marketplace or sales claims that the artifacts do not support.
Following missing or externally supplied setup files could introduce unreviewed dependencies.
The file manifest does not include requirements.txt, so any dependency list obtained separately would not be part of the reviewed artifact set.
Check that all dependencies are installed: `pip install -r requirements.txt`
Only install dependencies from files you can inspect and verify; do not run an externally supplied requirements file without review.
Users could accidentally place secrets in config files that are later shared, sold, or committed.
The current package does not use credentials, but its docs direct users to add API keys for derived skills while the registry declares no credential contract.
- API keys (specific to each skill)
Use environment variables or a secret manager for real API keys, document required scopes, and never redistribute config files containing secrets.
If built out without safeguards, a lead-generation skill could collect or use contact data in ways users or providers did not authorize.
A derived skill implementing this template would automate lead collection, outreach preparation, and CRM export, but the template does not define approval, consent, rate-limit, or provider-policy boundaries.
- Business data scraper - Email finder/verifier - Outreach message generator - CRM exporter (HubSpot, Salesforce)
Add explicit user approval, data-source limits, compliance checks, and provider-specific permission scopes before implementing or deploying this template.