ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sendivent

v1.0.0

Sendivent multi-channel notification API. Use when sending notifications via email, SMS, Slack, push, Telegram, WhatsApp, or Discord. Triggers on: send notif...

0· 30·0 current·0 all-time
by@oakleaf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, README, SDK guide, and API reference all consistently describe a Sendivent multi-channel notification integration. The documented endpoints, channels, and examples are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs using a Sendivent API key (process.env.SENDIVENT_API_KEY), creating an account/application, and making HTTP requests to api.sendivent.com — all within the expected scope. The instructions do not ask the agent to read unrelated system files or transmit unrelated data.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write or execute locally, which minimizes install-time risk.
!
Credentials
The runtime docs require an API key (SENDIVENT_API_KEY) and show examples using it, but the registry metadata lists no required environment variables or primary credential. The request for an API key is proportionate to the skill's purpose, but the metadata omission is a mismatch that could lead to surprising behavior or accidental leaking if users aren't warned.
Persistence & Privilege
The skill does not request persistent/always-on presence (always:false) and does not modify other skills or global agent settings. Autonomous invocation is allowed by platform default but is not combined with other red flags here.
What to consider before installing
This skill appears to be a straightforward Sendivent API reference and helper, which legitimately needs an API key to operate. Before installing: (1) Confirm you trust the skill owner and the sendivent.com domain; (2) do not provide a production API key—use a test_* sandbox key for experimentation; (3) note that the skill's metadata does not declare SENDIVENT_API_KEY even though the docs require it—make sure you set the env var yourself if you intend to use it; (4) if you do not want the agent to call the skill autonomously, disable model invocation or limit the agent's permissions; (5) review any code the agent generates that uses the key and avoid embedding long-lived production credentials in source or logs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f6aqten8hc9h1c9kk7mg4158433q1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments