Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Emailelevate
v1.0.0Automate email campaigns, sequences, and analytics for small businesses. Use when the user needs drip campaigns, welcome series, performance tracking, or int...
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to automate email campaigns across Mailchimp, ConvertKit, ActiveCampaign, and SendGrid and declares curl/jq as required binaries — that is coherent. However, requiring all four providers' API keys as mandatory is disproportionate if a user only uses one provider or a single client. The description also mentions WordPress, Slack, and Google Sheets integrations but those services' credentials are not declared.
Instruction Scope
The SKILL.md examples and capabilities explicitly describe posting summaries to Slack channels, exporting CSVs, and syncing WordPress posts / updating Google Sheets. Runtime instructions therefore imply the agent will call Slack and Google/WordPress APIs and will handle subscriber lists (personal data). Yet required env vars do not include any Slack webhook/token, Google credentials, or WordPress credentials. That mismatch means the instructions reference behaviors that lack declared credential requirements and increases the risk of unexpected external data flows or missing security constraints.
Install Mechanism
This is instruction-only with no install spec and only requires curl and jq on PATH. No code is downloaded or written to disk by an installer, which is the lower-risk model.
Credentials
Declaring MAILCHIMP_API_KEY, CONVERTKIT_API_KEY, ACTIVECAMPAIGN_API_KEY, and SENDGRID_API_KEY as required for every installation is excessive for most users (they normally use one provider). These are high-sensitivity secrets; the skill should make provider credentials optional/selective or clearly justify needing all of them. Additionally, other sensitive credentials implied by the instructions (Slack webhook/token, Google Sheets service account, WordPress credentials) are missing from requires.env, which is inconsistent and suspicious.
Persistence & Privilege
always is false and there is no persistent install step or requests to change other skills' config. Autonomous invocation is allowed (default) but not combined with other elevated privileges, so no extra persistence concerns from the manifest itself.
What to consider before installing
Proceed cautiously. The skill's email-provider API keys and curl/jq requirement make sense for an email automation tool, but it inappropriately requires all provider keys by default and its instructions reference Slack, Google Sheets, and WordPress without declaring the required credentials. Before installing: (1) confirm the author/repo and review the full SKILL.md yourself; (2) ask the author why all email API keys are mandatory and request per-provider optional configuration; (3) require least-privilege API keys (read/write scopes limited) and test with sandbox lists; (4) do not supply your primary production credentials — create limited service accounts/webhooks for Slack and Google Sheets and ensure revocation is simple; (5) verify data handling/privacy (how subscriber data is stored/transmitted) and that GDPR/CAN-SPAM claims are implemented. If the author cannot justify these mismatches, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97c6cav2p0hbg7fprne26k25d83h0bn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📧 Clawdis
OSmacOS · Linux · Windows
Binscurl, jq
EnvMAILCHIMP_API_KEY, CONVERTKIT_API_KEY, ACTIVECAMPAIGN_API_KEY, SENDGRID_API_KEY