Emailelevate
Security checks across malware telemetry and agentic risk
Overview
EmailElevate matches an email-marketing purpose, but it asks for multiple high-impact email-provider API keys and describes live campaign and list changes without clear safety boundaries.
Review this skill before installing. Only provide API keys for the platforms you actually use, prefer least-privilege credentials, require manual confirmation before any campaign send or list change, and separately verify email-compliance requirements.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may require granting broad access to several email-marketing accounts, increasing the impact of mistakes or misuse.
The skill declares all four email-provider API keys as required. These credentials are purpose-related, but requiring multiple provider accounts at once is overbroad for tasks that may only use one service.
"env": ["MAILCHIMP_API_KEY", "CONVERTKIT_API_KEY", "ACTIVECAMPAIGN_API_KEY", "SENDGRID_API_KEY"]
Use provider-specific, least-privilege API keys where possible, and avoid supplying credentials for services you do not intend to use.
A mistaken or overly broad instruction could send messages to customers or alter subscriber records.
The skill describes high-impact actions such as sending emails to subscriber lists and mutating contact data. The provided artifacts do not show explicit approval, preview, rollback, or bounded-scope safeguards for those actions.
"Deliver: Send to my ActiveCampaign list \"blog-subscribers\"" and "Auto-remove unsubscribes and bounced emails" / "Merge duplicate contacts" / "Clean email lists"
Require the agent to draft and preview campaigns first, ask for explicit confirmation before sending or changing lists, and limit actions to named lists or segments.
Users may over-trust the skill for legal email-compliance obligations that still require business and legal review.
The skill makes a strong compliance claim, but the provided artifact is instruction-only and does not show concrete enforcement logic, consent checks, audit logging, or jurisdiction-specific safeguards.
"Compliance-ready with GDPR, CAN-SPAM, and CASL standards built-in"
Treat compliance language as marketing guidance only; verify consent, unsubscribe handling, sender identity, and retention requirements independently.
Automations may keep sending emails or triggering workflows unless disabled in the connected provider.
The skill is meant to create scheduled drip campaigns and recurring newsletters. This persistence is purpose-aligned, but it can continue running inside provider platforms after initial setup.
"Schedule: Every Monday at 9 AM EST" and "Set delays between emails (hours, days, weeks)"
Keep an inventory of created automations, review schedules, and know how to pause or delete workflows in each email platform.
Campaign metrics, audience segments, or business performance data could become visible to people with access to those Slack channels.
The skill describes sending campaign analytics to Slack channels. This is user-directed and purpose-aligned, but it moves potentially sensitive marketing and customer-performance data into another workspace.
"Report results weekly to my Slack #marketing channel" and "Export as CSV and post a summary to my Slack #analytics channel"
Post only to approved private channels and avoid including unnecessary personal or customer-level data in Slack summaries.