v1.0.0

Real-Time Sales Coach

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:23 AM.

Analysis

The skill is a coherent sales-coaching helper, but it asks to pull CRM, email, and meeting-note data from external accounts without declared credentials, capabilities, or clear access limits.

GuidanceReview before installing. Use this skill only if you want it to access sales systems such as HubSpot, Outlook, and Fathom, and configure it to retrieve only the current meeting or deal context with explicit approval. Also verify any canned privacy, compliance, or product-performance claims before repeating them to customers.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

references/coaching-cards.md

Data privacy: "Your data never leaves your infrastructure in edge mode. Cloud mode has SOC 2 compliance."

The skill provides exact sales phrases that assert privacy and compliance properties; these may be appropriate, but they are not substantiated within the provided artifacts.

User impactA salesperson could repeat security or compliance claims that have not been verified for the actual product or customer deployment.

RecommendationVerify all security, privacy, accuracy, and compliance claims before using them in customer conversations, and add source-backed qualification language.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Before coaching a live meeting, load: 1. Company info from HubSpot ... 2. Recent email threads from Outlook 3. Fathom notes from prior meetings

The skill directs the agent to access CRM records, email threads, and meeting notes from third-party accounts, while the supplied metadata declares no primary credential, env vars, config paths, or derived capability tags.

User impactIf installed in an environment with those integrations available, the agent may read sensitive customer records and private sales communications without a clearly declared permission boundary.

RecommendationDeclare the required integrations and credentials, require explicit user approval before retrieval, and limit access to the current meeting, named company, or specific deal/contact records.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Receive live transcript chunk or meeting context ... Load CRM context via HubSpot (company, deal stage, contacts, prior emails)

The skill combines live meeting text with external provider data, but does not specify identity, origin, sharing, retention, or redaction boundaries for those data flows.

User impactConfidential prospect, customer, or internal sales information could be pulled into the agent context more broadly than intended.

RecommendationDefine approved connectors, data minimization rules, retention behavior, and output restrictions; avoid loading email or meeting-note content unless the user explicitly requests it for the current deal.