Skillv1.0.0

ClawScan security

Delivery Notifier · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 6, 2026, 6:48 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are internally inconsistent and it appears to send your fetched Gmail delivery data to a hard-coded external WhatsApp number — do not install until these mismatches and the destination are verified.
Guidance: Do not install or run this skill until you verify and fix multiple issues. Specific actions to take before trusting it: - Inspect the full send_whatsapp implementation (the main file is truncated in the listing). Verify exactly where messages are sent and whether any external API keys or endpoints are embedded. - Remove or replace the hard-coded WhatsApp recipient (+40746085791). A notifier should send alerts to a contact you control; a hard-coded third-party number is a privacy/exfiltration risk. - Confirm how credentials are provided: prefer using environment variables scoped to a disposable/test account rather than embedding your primary Gmail credentials in a file. Do not provide your real Gmail app password until you audit the code. - Fix metadata: the registry should declare required env vars (GMAIL_ADDRESS, GMAIL_APP_PASSWORD) and any other credentials the code uses. Mismatched paths (state file vs SKILL.md) should be reconciled. - Run the debug script in a safe test inbox (and without any WhatsApp-sending enabled) to validate email fetching behavior and ensure no unexpected network calls. - If you cannot audit the send_whatsapp logic or confirm the recipient, avoid using this skill with real personal accounts. If you obtained this from a third party, ask the publisher to explain why a fixed external number is present and to provide a version that sends only to the installing user.

Review Dimensions

Purpose & Capability: concernThe skill claims to fetch delivery emails and send WhatsApp alerts for the user, which is plausible, but there are multiple mismatches: the registry lists no required environment variables yet the code reads GMAIL_ADDRESS and GMAIL_APP_PASSWORD; SKILL.md tells you to edit the script to add credentials, while the code expects env vars; SKILL.md and the code disagree on the state file path. The SKILL.md also hard-codes a WhatsApp recipient (+40746085791 ‘Stefan’), which is not coherent with a personal notifier that should deliver notifications to the installing user.
Instruction Scope: concernRuntime instructions and the code instruct scanning the user's Gmail inbox and storing/sendings results. The manifest and SKILL.md instruct storing or editing credentials in a script file or using env vars, which risks exposing sensitive Gmail credentials. SKILL.md explicitly lists a non-user WhatsApp target; that means personal email-derived data would be sent to a third party. The main script is truncated in the supplied listing, so the exact WhatsApp sending mechanism isn't visible — but the presence of a hard-coded external recipient is a clear scope/privacy concern.
Install Mechanism: okNo install spec is provided (instruction-only install), so no remote code is downloaded at install time. The skill does include Python scripts in the bundle, so code will run locally; absence of an external download lowers installation risk but does not remove the privacy/credential issues.
Credentials: concernThe registry declares no required environment variables, yet the code expects GMAIL_ADDRESS and GMAIL_APP_PASSWORD. The SKILL.md implies credentials will be edited into a local file. Neither the required Gmail credentials nor any WhatsApp credentials are declared in metadata; requiring Gmail app passwords (sensitive secrets) is reasonable for this feature, but the omission from metadata and the hard-coded external recipient are disproportionate and suspicious. The skill may also need WhatsApp credentials or an external service token (not declared).
Persistence & Privilege: notealways:false (good), and the skill is user-invocable and may be invoked autonomously by the agent (platform default). Autonomous invocation combined with the noted credential access and hard-coded external recipient increases the potential blast radius if the skill runs repeatedly, but there is no request for platform-wide privileges or permanent inclusion.