ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx could-have-been-email

v1.0.0

Analyzes meeting transcripts to determine if the discussion could have been an email, returning filler word count and decisions.

0· 69·0 current·0 all-time
byBruce Gutman@brucegutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for brucegutman/pipeworx-could-have-been-email.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx could-have-been-email" (brucegutman/pipeworx-could-have-been-email) from ClawHub.
Skill page: https://clawhub.ai/brucegutman/pipeworx-could-have-been-email
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-could-have-been-email

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-could-have-been-email
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description says it analyzes meeting transcripts and returns filler-word counts and decisions — that capability plausibly requires calling an external service. However SKILL.md explicitly states it "requires X-API-Key" and points to an external gateway (gateway.pipeworx.io) while the skill metadata lists no required environment variables or primary credential. The missing API-key declaration is an incoherence.
!
Instruction Scope
The runtime instructions are minimal but imply sending meeting transcripts to an external MCP endpoint. They do not specify how the X-API-Key is supplied, what data is sent, or any privacy/retention behavior. Any skill that transmits meeting transcripts externally should explicitly document required credentials and data handling; this one does not.
Install Mechanism
No install spec and no code files are present (instruction-only). That minimizes on-disk installation risk — nothing is downloaded or executed locally by the skill itself.
!
Credentials
SKILL.md states an API key is required (X-API-Key) but the registry entry declares no env vars or primary credential. Requesting an external API key is plausible, but an undisclosed credential requirement is disproportionate and unclear. There's no indication what scopes/permissions that key has or where it should be stored.
Persistence & Privilege
The skill is not always-on and uses default autonomous invocation settings. There's no indication it requests permanent agent changes or elevated system privileges. Note: autonomous invocation combined with an external API (and an API key) increases data-exfiltration risk, but autonomous invocation itself is expected.
What to consider before installing
This skill appears to send meeting transcripts to an external service (gateway.pipeworx.io) and mentions an X-API-Key, but the skill metadata doesn't declare any required credentials or explain where the key comes from. Before installing: 1) Ask the publisher for a homepage, privacy policy, and owner identity. 2) Require the skill to declare the exact env var name for the API key and explain key scopes and storage recommendations. 3) Confirm what transcript data is transmitted, how long it is stored, and whether PII will be retained. 4) Avoid sending sensitive meeting content until you verify the service and the API-key handling. Providing those clarifications would move this assessment toward benign; absent them, treat the skill as suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dw8yhqyahhbd4crg9xxrbtn85c66j
69downloads
0stars
1versions
Updated 4d ago
v1.0.0
MIT-0
Bruce Gutman@brucegutman
latest
Download

Could Have Been Email

could-have-been-email MCP — wraps StupidAPIs (requires X-API-Key)

could_have_been_email_analyze

Check if a meeting transcript could have been an email instead. Returns filler word count, decisions

{
  "mcpServers": {
    "could-have-been-email": {
      "url": "https://gateway.pipeworx.io/could-have-been-email/mcp"
    }
  }
}

Comments

Loading comments...