Back to skill
Skillv1.0.1
ClawScan security
Email Verifier · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 4:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent: it performs DNS and SMTP RCPT checks as described and does not request unrelated credentials or hidden installs.
- Guidance
- This skill appears to do exactly what it says, but take these practical precautions before using it: (1) Running RCPT checks opens many connections to third-party mail servers and can be interpreted as spam reconnaissance — use only on lists you own or have permission to verify. (2) Run from an environment that permits outbound port 25 (some ISPs block it) and consider using a server or VM with appropriate reputation to avoid IP blacklisting. (3) Respect the provided rate-limiting defaults and do not bulk-run large lists from residential IPs; for large volumes prefer a dedicated verification service. (4) Review the included script (verify_email.py) yourself before running; it performs network I/O (smtplib/dns) but contains no hidden remote endpoints or credential exfiltration. (5) Install dnspython from the official PyPI repository (pip3 install dnspython). If you need higher assurance, run the script inside an isolated VM/container and/or ask for a third-party code review.
Review Dimensions
- Purpose & Capability
- okName/description (SMTP RCPT checks, MX lookup, catch-all detection) match the included script and SKILL.md. The included Python script implements the stated functionality and the only external dependency (dnspython) is consistent with MX lookups.
- Instruction Scope
- okSKILL.md instructions and the script limit actions to DNS resolution, TCP connections to MX hosts on port 25, CSV/stdin reading, and local rate limiting. The instructions do not read unrelated files or environment variables, nor do they exfiltrate data to external endpoints beyond the target mail servers.
- Install Mechanism
- okNo install spec is provided (instruction-only), and the only required package is dnspython (pip). No downloads from unknown URLs or archive extraction are present. The script runs directly with system Python.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. Network access to MX servers is expected and proportional to the stated purpose.
- Persistence & Privilege
- okSkill is not forced-always, has no autonomous-privilege escalation indicators, and does not attempt to modify other skills or system-wide settings.