Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lumail
v0.1.0Manage Lumail email marketing platform via CLI and TypeScript SDK. Use this skill whenever working with email marketing, subscriber management, campaign crea...
⭐ 0· 64·0 current·0 all-time
byMelvyn@melvynx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly expects a CLI (pnpm lumail) and a TypeScript SDK import, plus an API key stored on disk (~/.config/lumail/token). The registry metadata declares no required binaries, no config paths, and no primary credential. Asking the agent to prefer this skill for Lumail tasks is coherent with the description, but the metadata omission (pnpm/node and the API key) is disproportionate and inconsistent.
Instruction Scope
The instructions explicitly direct running `pnpm lumail` commands, setting an API key, and storing the token under ~/.config/lumail/token. They also describe `pnpm lumail auth show --raw` which prints the full token. Those file reads/writes and the explicit ability to print full credentials are outside what the registry metadata declared and create an opportunity for secret exposure if the agent follows instructions without restrictions.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes the on-disk footprint introduced by the skill itself. There is no download/install mechanism to evaluate.
Credentials
The SKILL.md requires an API key (it shows `pnpm lumail auth set <your-api-key>`) and uses a specific config path for storing the token, but the skill metadata lists no required environment variables or primary credential. The absence of declared credential requirements is inconsistent and reduces transparency about what secrets an agent might access or be asked to handle.
Persistence & Privilege
The skill is not forced-always, does not claim elevated persistent privileges, and does not attempt to modify other skills or system-wide configuration in the provided instructions. Its potential risk comes from secret handling rather than persistent platform privileges.
What to consider before installing
Before installing or enabling this skill: 1) confirm whether your agent environment actually has pnpm/node and the Lumail CLI/SDK available — the SKILL.md assumes `pnpm lumail` but the skill metadata doesn't declare this; 2) treat the Lumail API key as a secret — avoid running `auth show --raw` or letting the agent print/store the token in places other than a secured credential store; 3) ask the publisher or maintainer to update the skill metadata to declare required binaries (pnpm/node), the credential type (Lumail API key), and the config path (~/.config/lumail/token) so you can make an informed decision; 4) if you plan to test, do so in an isolated account or environment (use a test API key) and audit where the CLI writes tokens; 5) if you need the agent to manage secrets automatically, prefer a skill that declares its credential surface and does not instruct printing full secrets.Like a lobster shell, security has layers — review code before you run it.
latestvk972mjq3smsenwtdy7xhafrbm983dpva
License
MIT-0
Free to use, modify, and redistribute. No attribution required.