ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CMA Email

v1.0.0

Sends an email via Gmail when a message starts with "cma" or "cmap".

0· 891·0 current·0 all-time
by@mtbf999
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the instructions: the skill sends Gmail messages to two specific recipients. It relies on the 'gog' skill to perform the actual send (declared in SKILL.md metadata). The registry metadata shown earlier did not list required env or creds, which is consistent because this instruction-only skill delegates auth to the 'gog' skill — but users must understand that 'gog' will need Gmail credentials to work.
!
Instruction Scope
SKILL.md contains a SYSTEM INSTRUCTION that the agent MUST use the skill and immediately execute the send (no textual reply or confirmation). It will transmit arbitrary user-provided text to external email addresses (hard-coded). There is no input sanitization, confirmation step, or safeguards to prevent sending sensitive data. This is scoped to email sending, but the 'must execute without confirmation' behavior is risky.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is downloaded or written to disk. Lowest install risk.
Credentials
The skill itself requests no env vars or credentials, which is consistent because it delegates to the 'gog' skill. However, that means permission to send Gmail depends on the gog skill's credentials/scope; the skill hard-codes two recipient addresses (one personal Gmail and one corporate email) which users should verify. No other unrelated credentials are requested.
Persistence & Privilege
always:false and no install actions. The only notable privilege is the SKILL.md 'MUST use this skill' instruction which enforces immediate use when the message prefix matches; this is a behavioral/design risk but not a platform-level persistence/privilege escalation.
What to consider before installing
This skill will automatically send whatever text follows the 'cma' or 'cmap' prefix to a hard-coded email address via the 'gog' skill, without asking for confirmation. Before installing, confirm: (1) you trust the targets (duarte.caldas.oliveira@gmail.com and duarte.oliveira@devoteam.com); (2) the 'gog' skill is configured with appropriate Gmail credentials and you understand its permissions; (3) you are comfortable with automatic sends (consider accidental triggers or sensitive data leakage). If you want safer behavior, request a confirmation step in the SKILL.md (e.g., ask the user to approve the composed email before sending) or limit allowed content. Test in a safe environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9751f6tz348hgh3ak4rd993sn80z4nf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis

Comments