Back to skill
Skillv1.0.3
ClawScan security
Full access to all Exchange 2010 EWS functions, should work with other EWS Open Source · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:16 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code largely matches its Exchange/EWS intent, but it reads credentials from a repository-level .env.credentials file (outside the package), uses unexpected environment variable names (PICARD_*) that don't match the SKILL.md, and could overwrite environment variables — these inconsistencies deserve review before installing or giving it credentials.
- Guidance
- Things to check before installing or supplying credentials: - Do not place high-privilege or personal credentials in a repository/root-level .env.credentials file. The code reads .env.credentials two directories above the package and will set those values into the process environment. - Confirm which environment variable names the skill actually uses. The SKILL.md documents EXCHANGE_* names, but the code reads PICARD_USERNAME / PICARD_PASSWORD (and then raises an error mentioning EXCHANGE_PASSWORD). This mismatch is a bug and could cause you to store credentials in the wrong place. - Limit the account you provide to the minimum necessary scope (a test/service mailbox where possible) because the skill can read mail, download attachments, send email, change out-of-office settings, and modify calendar events. - Review the code locally before running: the _load_env() logic blindly sets os.environ from the file; consider changing it to read only expected keys (or to accept credentials passed in explicitly) and avoid overwriting unrelated environment variables. - Ensure required runtime dependency exchangelib (and optionally PyPDF2) are installed in an isolated environment before use. If you cannot or will not audit the code, treat this skill as suspicious and avoid placing real, high-privilege credentials in the expected .env.credentials location. If you proceed, create a dedicated, limited-permission service account and test in an isolated environment first.
Review Dimensions
- Purpose & Capability
- noteFunctionality implemented (read/send email, calendar, contacts, tasks, OOF, shared calendars, attachments) matches the SKILL.md features and the skill name — the capability set is coherent with an Exchange/EWS integration.
- Instruction Scope
- concernSKILL.md instructs storing EXCHANGE_* credentials in a .env.credentials file, but the code _load_env() will read a .env.credentials file two directories above the package and blindly set those keys into os.environ. The code also expects different env var names (PICARD_USERNAME, PICARD_PASSWORD) while error messages reference EXCHANGE_PASSWORD — this mismatch is confusing and could cause accidental credential placement in an unexpected location. Reading a repo/root-level .env file and mutating os.environ expands the skill's scope beyond the package and risks exposing unrelated credentials.
- Install Mechanism
- okNo install spec is present (instruction-only with a code file). That reduces supply-chain risk since nothing is downloaded at install time. However the code depends on exchangelib and optional PyPDF2 (not declared), so runtime failures may occur if dependencies are missing.
- Credentials
- concernThe SKILL.md declares EXCHANGE_SERVER, EXCHANGE_DOMAIN, EXCHANGE_EMAIL, EXCHANGE_PASSWORD; the code reads those in _load_env() but then uses PICARD_USERNAME and PICARD_PASSWORD as the actual variables for authentication (and raises an error referencing EXCHANGE_PASSWORD). The skill requests credentials appropriate for Exchange access (expected), but the mismatched variable names and implicit file location are disproportionate and error-prone. The skill also sets environment variables globally from a file two dirs up, which could overwrite unrelated environment settings.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent platform privileges. It can perform mailbox actions (send email, set OOF, modify events) — those are appropriate for an Exchange integration but mean you should grant it only an account with the minimal required permissions.