Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Connect Apps
v0.1.0Connect Claude to external apps like Gmail, Slack, GitHub. Use this skill when the user wants to send emails, create issues, post messages, or take actions i...
⭐ 0· 627·5 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (connect to Gmail, Slack, GitHub, etc.) matches the runtime instructions: install a composio Tool Router plugin and authorize via OAuth. However, the Skill metadata lists no primary credential or required env vars while the instructions explicitly require an API key and OAuth authorizations; this metadata omission reduces transparency.
Instruction Scope
SKILL.md only tells the agent (and user) to run platform-specific plugin commands and to complete OAuth flows; it does not instruct the agent to read local files, environment variables, or other system state. Actions are delegated to the composio service which then performs app-specific calls.
Install Mechanism
This is an instruction-only skill (no install spec, no code shipped). The install directive is a platform plugin command (/plugin install composio-toolrouter), so nothing in the skill writes arbitrary binaries to disk from unknown URLs. Risk is moved to the external plugin/service, not to this skill bundle.
Credentials
The registry declares no required env vars or primary credential, but SKILL.md instructs the user to provide a 'free API key' from platform.composio.dev and to complete OAuth authorizations that grant access to many apps. That broad access is expected for this capability but the discrepancy between metadata and runtime reduces transparency and could surprise users. Users should verify what tokens/scopes the external service will receive.
Persistence & Privilege
always is false and there is no install spec that modifies agent/system configs. The plugin approach implies the external service will hold OAuth tokens, but this skill itself does not request permanent agent-wide privileges in the registry.
What to consider before installing
This skill delegates actions to a third‑party service (Composio Tool Router). Before installing: (1) Verify platform.composio.dev and the composio plugin are trustworthy (homepage/source code, company reputation). (2) Expect to provide an API key and complete OAuth flows — doing so grants the external service the ability to act on your accounts (send email, post to Slack, create GitHub issues). Review and limit OAuth scopes where possible, and prefer authorizing only the accounts you intend to use. (3) Note the skill metadata does not declare the API key/OAuth requirement — treat that as a transparency gap. (4) If you need stronger assurance, request the plugin's source or audit the composio service's privacy/security docs and confirm how to revoke tokens. If you are unsure about granting broad access, do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk97d6a1r50znfmkgxmjt93mrnx81e3d4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.