Hannah & Elena client skill for coworker integration by Sokosumi
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a clearly described connector to external Hannah and Elena AI services, with expected API-key and data-sharing considerations users should review before use.
Before installing, confirm that your organization permits sending prompts, campaign details, and attachments to Hannah/Elena via sumike.ai. Configure API keys securely, consider disabling automatic agent selection for sensitive work, and verify the package source because the metadata references runtime files that are not present in the provided artifacts.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and configured, the agent can use the provided Hannah and Elena API credentials to create and retrieve tasks on those services.
The skill requires service API keys so the agent can authenticate to Hannah and Elena. This is expected for the stated integration, but the credentials grant access to the user's external service account.
requires": {"env": ["HANNAH_API_KEY", "ELENA_API_KEY"]}, "primaryEnv": "HANNAH_API_KEY"Use scoped keys if available, keep them out of chat logs and shared files, rotate them periodically, and revoke them if the skill is no longer needed.
Business plans, research prompts, or attachments submitted through this skill may leave the local environment and be processed by external AI coworkers.
The skill discloses inter-agent delegation, meaning task content sent to Elena may also be routed to Hannah as part of the workflow.
Elena auto-delegates to Hannah for market research
Avoid sending confidential or regulated information unless your organization approves the service, and confirm what data retention, sharing, and sub-agent delegation policies apply.
A request may be sent to Hannah or Elena based on the agent's interpretation rather than a user manually choosing the endpoint each time.
The skill can route requests to an external agent automatically. This is aligned with the coworker-integration purpose, but it can make external submission less explicit.
"autoSelectAgent": { "type": "boolean", "default": true, "description": "Automatically select the right agent (Hannah for research, Elena for planning) based on request type" }Ask the agent to confirm before sending sensitive or costly tasks externally, and disable automatic selection if you want manual routing.
The installed package may not contain the implementation users expect, or functionality may depend on files not included in these artifacts.
The plugin metadata references built runtime files, while the provided manifest says no code files are present. This is a packaging/provenance inconsistency rather than evidence of malicious behavior.
"exports": { "main": "./dist/hannah-elena/index.js", "types": "./dist/hannah-elena/index.d.ts" }Verify the package source or repository before relying on executable tools, especially if a later installation downloads or builds additional code.