Back to skill
Skillv1.0.0
ClawScan security
Skill Email · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 5:34 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions are consistent with an email-generation tool that calls a TradeGPT API and optionally can send mail; minor metadata inconsistencies should be reviewed but do not indicate malicious intent.
- Guidance
- This skill appears to do what it says: it generates multilingual business emails and includes template resources. Before installing or enabling: (1) Confirm the provider (https://yunlvai.com) and privacy/usage terms for TradeGPT; (2) only provide TRADEGPT_API_KEY if you trust the service; (3) do NOT provide EMAIL_API_KEY / SMTP credentials unless you want the skill to send emails on your behalf — otherwise leave sending disabled and copy-paste generated text manually; (4) ask the publisher why registry metadata differs from the SKILL.md (env vars and python3) and require clarification if you need assurance; (5) avoid pasting sensitive customer data into the skill unless you accept that it will be sent to the vendor's API per their privacy policy.
Review Dimensions
- Purpose & Capability
- noteThe skill's stated purpose (multilingual B2B email writing) matches the instructions and provided templates. It declares TRADEGPT_API_KEY (for the yunlvai API) which is appropriate. Minor mismatch: the registry summary reported 'no required env vars / binaries', while SKILL.md and clawhub.yaml declare TRADEGPT_API_KEY, optional EMAIL_API_KEY, and python3 in bins — likely sloppy metadata but worth confirming.
- Instruction Scope
- okSKILL.md is an instruction-only workflow for generating email text, selecting language/tones, and using included templates. It does not instruct the agent to read arbitrary system files, access unrelated credentials, or exfiltrate data to unknown endpoints. The only external endpoint referenced is the documented api.yunlvai.com (TradeGPT) and a user-configured SMTP endpoint for sending emails.
- Install Mechanism
- okThere is no install spec and no code files — the skill is instruction-only and will not write or execute downloaded code. This is low risk from an install/execution perspective.
- Credentials
- noteRequesting a TradeGPT API key is proportionate to the skill's purpose. An optional EMAIL_API_KEY (or SMTP credentials) is plausible for an 'auto-send' feature but grants the skill ability to send outbound email — the user should only provide that if they intend auto-sending. The declared python3 binary requirement is questionable for an instruction-only skill and may be unnecessary; verify whether any runtime components actually need it.
- Persistence & Privilege
- okalways is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request persistent system privileges or attempt to modify other skills or global agent settings.