Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Biz Relationship Pulse
v1.0.0Scans your emails and LinkedIn to identify stalled commercial relationships and suggests prioritized contacts with tailored re-engagement lines.
⭐ 0· 50·0 current·0 all-time
byNico Lumma@rednix
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes exactly the capabilities needed to perform the stated task (reading Gmail threads, LinkedIn messages/profiles, WhatsApp if available, plus local config/pipeline/context files). However the registry metadata (required env vars/config paths/credentials) lists none while the SKILL.md metadata explicitly requires channel configuration (openclaw.requires: '{"config": ["channels"]}'). This mismatch between what the skill expects at runtime and what the package declares is a coherence concern.
Instruction Scope
The runtime instructions stay on-purpose: search user message threads for stalled conversations, score candidates, and produce re-engagement lines. The skill explicitly reads only config.md, pipeline.md, and context.md in addition to communication channels. It does not (in the visible text) instruct transmission of data to external servers outside the user's channels. Still, it requires reading full message content and profile activity — a high-privacy operation that the user should explicitly consent to.
Install Mechanism
This is instruction-only with no install spec and no code files. That minimizes disk-writing and supply-chain risk; there are no downloads or packages to evaluate.
Credentials
The skill will need access to sensitive accounts (Gmail, LinkedIn, potentially WhatsApp) and to read message content, but the registry entry declares no required credentials or config paths. The SKILL.md implies reliance on platform 'channels' connectors rather than explicit API keys, yet the lack of declared required permissions or a clear statement about what connectors will be used/needed is a proportionality and transparency problem.
Persistence & Privilege
Although always:false and not force-included, the SKILL.md describes a weekly cron that reads the user's data (token discipline: weekly cron reads only config.md + pipeline.md + context.md). That implies periodic autonomous scanning of sensitive channels. The skill does not declare how often it will run on the platform or what controls the user has to stop/inspect scheduled runs; this ongoing access increases privacy risk and should be disclosed/controllable.
What to consider before installing
This skill's behavior (reading your emails, LinkedIn messages, and potentially WhatsApp) is consistent with its purpose, but the package metadata is inconsistent and lacks clear declarations about what account access it needs and how frequently it will scan. Before installing: confirm exactly which 'channels' connectors the platform will grant to the skill (Gmail OAuth scopes, LinkedIn access via MCP, WhatsApp access), whether the skill will store or transmit message contents externally, and whether you can opt into a one-time scan vs ongoing scheduled runs. Ask the publisher for a clear permission list, a data retention/privacy statement, and logs/auditability for scheduled runs — if you can't get that, treat the skill as higher-risk for sensitive inbox data. If you proceed, restrict access to a limited mailbox/label or test with a non-sensitive account first.Like a lobster shell, security has layers — review code before you run it.
latestvk97a6a9z5vemawsfzec2hcbepd83vzzc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.