Comonyx Admin
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is high-impact because it uses Cosmonyx admin credentials, fetches company records, writes exports, and can email them, but the reviewed artifacts disclose these behaviors and they fit the stated admin purpose.
Install only if you are authorized to administer Cosmonyx data. Before use, verify the Cosmonyx endpoint, understand that the skill can fetch all company records, protect the SMTP .env file, and confirm export paths and email recipients before sending sensitive company data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill means the agent can authenticate as a Cosmonyx admin and access company records during the session.
The skill requires direct Cosmonyx admin credentials and sends them to the Cosmonyx gateway sign-in endpoint. This is central to the stated admin function, but it is high-privilege account access.
Ask once: "Please provide your Cosmonyx admin email." ... "Please provide your Cosmonyx admin password." ... POST https://gateway-dev.cosmonyx.co/auth/signin
Use only with an authorized admin account, verify the gateway-dev.cosmonyx.co endpoint is the intended environment, and avoid sharing credentials outside a trusted session.
A user action could result in broad company data retrieval or outbound reminder emails to selected companies.
The skill directs broad API access to retrieve all company records and includes workflows that can send reminder emails. These actions match the admin purpose but are operationally impactful.
Fetch the full list of companies... Request all pages until there are no more... Send reminder emails to records where complianceStatus is Not Started
Confirm the selected filter, recipient set, and intended email action before allowing the agent to send messages or export all records.
Exported company records may be sent to an external recipient and through the configured SMTP provider.
The email workflow can transmit generated PDF or Excel exports through SMTP to a recipient address supplied during the task. This is disclosed and purpose-aligned, but it moves potentially sensitive company data outside the local environment.
obtain the recipient address and set EMAIL_TO and ATTACHMENT_PATH in the command ... python3 send-email.py /tmp/companies_body.txt
Only email exports to approved recipients, verify the attachment path before sending, and use an approved SMTP account.
Company exports can remain on disk after the task and may be accessible to other local tools or users with filesystem access.
The skill persists exported company records to a normal user folder. This is expected for an export workflow, but the file may contain sensitive business or compliance data.
Save the file into the current user’s Downloads folder ... $HOME/Downloads/comonyx-companies.pdf
Store exports in an appropriate secure location and delete them when they are no longer needed.
Users may need to create SMTP configuration manually and should understand where email credentials are stored.
The setup documentation references an .env.example file and SMTP environment variables, while the provided registry requirements list no required environment variables. This appears to be a setup/documentation gap rather than hidden behavior.
Copy .env.example to .env in this skill root and set SMTP_USERNAME, SMTP_PASSWORD...
Review the SMTP configuration before use, protect the .env file, and avoid storing unnecessary long-lived secrets.