Skillv1.0.0

ClawScan security

CMA Email · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 4:58 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is functionally coherent (it will send Gmail via another skill) but it instructs the agent to immediately send user-provided content to hard-coded addresses without confirmation, which risks accidental or undesired data exfiltration and deserves caution.
Guidance: This skill will automatically send whatever text follows the 'cma' or 'cmap' prefix to a hard-coded email address via the 'gog' skill, without asking for confirmation. Before installing, confirm: (1) you trust the targets (duarte.caldas.oliveira@gmail.com and duarte.oliveira@devoteam.com); (2) the 'gog' skill is configured with appropriate Gmail credentials and you understand its permissions; (3) you are comfortable with automatic sends (consider accidental triggers or sensitive data leakage). If you want safer behavior, request a confirmation step in the SKILL.md (e.g., ask the user to approve the composed email before sending) or limit allowed content. Test in a safe environment first.

Review Dimensions

Purpose & Capability: noteThe name/description match the instructions: the skill sends Gmail messages to two specific recipients. It relies on the 'gog' skill to perform the actual send (declared in SKILL.md metadata). The registry metadata shown earlier did not list required env or creds, which is consistent because this instruction-only skill delegates auth to the 'gog' skill — but users must understand that 'gog' will need Gmail credentials to work.
Instruction Scope: concernSKILL.md contains a SYSTEM INSTRUCTION that the agent MUST use the skill and immediately execute the send (no textual reply or confirmation). It will transmit arbitrary user-provided text to external email addresses (hard-coded). There is no input sanitization, confirmation step, or safeguards to prevent sending sensitive data. This is scoped to email sending, but the 'must execute without confirmation' behavior is risky.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is downloaded or written to disk. Lowest install risk.
Credentials: noteThe skill itself requests no env vars or credentials, which is consistent because it delegates to the 'gog' skill. However, that means permission to send Gmail depends on the gog skill's credentials/scope; the skill hard-codes two recipient addresses (one personal Gmail and one corporate email) which users should verify. No other unrelated credentials are requested.
Persistence & Privilege: okalways:false and no install actions. The only notable privilege is the SKILL.md 'MUST use this skill' instruction which enforces immediate use when the message prefix matches; this is a behavioral/design risk but not a platform-level persistence/privilege escalation.