ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Comonyx Admin

v1.0.1

Admin skill to sign into Cosmonyx, fetch companies, filter/export (PDF or Excel), optionally email the export, or send reminder emails to filtered companies.

0· 488·1 current·1 all-time
by@waqas-orcalo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose (sign into Cosmonyx, fetch companies, export, email) matches the code and instructions. However: registry metadata lists no required env vars while TOOLS.md/send-email.py clearly expect SMTP credentials (.env or environment); the skill name in the registry (Comonyx) and docs (Cosmonyx/Cosmonyx) are inconsistent; the API host used is a 'gateway-dev' domain (suggests a development endpoint). These mismatches reduce confidence that the manifest accurately describes needed capabilities.
!
Instruction Scope
SKILL.md directs the agent to collect admin credentials, call the gateway API (including iterating pages), write exports to $HOME/Downloads, and optionally run the bundled email script which reads a .env in the skill root. The instructions permit sending potentially sensitive company data to arbitrary recipient addresses. The skill does not declare or surface the .env requirement in the registry manifest — the .env is described only in TOOLS.md. The use of a 'gateway-dev' endpoint and default values embedded in the email script (IdentityGram default sender) are unexpected and should be validated.
Install Mechanism
No install spec (instruction-only plus included script files). No network download/exec of remote archives. This is the lower-risk install pattern.
!
Credentials
The skill will need SMTP credentials (SMTP_USERNAME and SMTP_PASSWORD) to send email, and TOOLS.md instructs placing them in a .env in the skill root or exporting them in the exec command — yet the registry lists no required env vars and 'Required env vars: none'. The send-email.py also has default SMTP host and default sender fields (in-v3.mailjet.com and verification@identitygram.co.uk) that do not match the Cosmonyx branding, which is suspicious/unexplained. Requesting admin email/password for the gateway sign-in is expected, but the absence of declared required env vars and odd defaults is disproportionate to the manifest.
Persistence & Privilege
The skill does not request special installation privileges, always is false, and it does not attempt to modify other skills or global config. It will write files to user-visible locations (Downloads, /tmp) when exporting, which is expected for its function.
What to consider before installing
Before installing or running this skill: 1) Verify the gateway host (https://gateway-dev.cosmonyx.co) is the correct production endpoint for your organization — the 'gateway-dev' name suggests a development server and could be wrong or hostile. 2) Inspect .env.example in the skill root; do not place real SMTP credentials in a skill directory unless you trust the skill source and storage location. Consider providing per-request SMTP credentials via temporary environment export rather than permanently storing them in the skill folder. 3) Confirm you trust the skill author (no homepage, unknown owner). 4) Note the default sender identity in the script (IdentityGram) is inconsistent with the Cosmonyx product and may indicate reuse of code; ask the author to clarify/remove unrelated defaults. 5) Understand that giving admin credentials to the agent will allow it to fetch all company records and (with SMTP creds or by exporting files) send that data to arbitrary recipients — only proceed if you intend to transmit that data and you control the recipients. 6) Ask the maintainer to update the registry metadata to declare required env vars (SMTP_*), fix naming inconsistencies, and confirm the intended gateway URL; if you cannot validate these, treat the skill as untrusted and avoid supplying org admin or SMTP credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk972zrpbymrbwgb06j712wx5f181w6fg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛠️ Clawdis

Comments