ClawHub

ClawConnect

v1.0.0

ClawConnect - Universal account connector for AI agents. Send tweets, read/send Gmail, manage calendar, send Slack messages, and more through one API.

3· 1.8k·2 current·2 all-time
by@yiweil
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and SKILL.md are consistent: this is an aggregator API that proxies Gmail, Calendar, Twitter, Slack, Discord, etc. That capability justifies requesting a single aggregator API key. However, the registry metadata declares no required environment variables or primary credential while the SKILL.md consistently uses CLAWCONNECT_API_KEY — an inconsistency that should be explained.
Instruction Scope
The instructions are limited to calling a single external API (https://clawconnect.dev) and show curl examples for each service. They do not instruct reading local files, other environment variables, or performing unexpected actions. They do, however, direct all sensitive traffic to a third-party domain.
Install Mechanism
Instruction-only skill with no install spec and no code files — low surface area for disk writes or automatic installs.
!
Credentials
SKILL.md expects an API key (CLAWCONNECT_API_KEY) but the skill metadata lists no required env vars/primary credential. More importantly, a single API key would grant a third party broad access to Gmail, Calendar, Twitter, Slack and Discord accounts — a high-privilege capability that must be explicitly declared, scoped, and trusted before use.
Persistence & Privilege
The skill does not request always:true, has no install actions, and does not appear to persist configuration on the agent. Autonomous invocation is allowed (platform default) but is not combined with other privilege escalation signals here.
What to consider before installing
This skill delegates access to many of your accounts to a third-party service (clawconnect.dev). Before installing or providing an API key: 1) Verify the service identity and trustworthiness (official homepage, company, privacy policy, and contact). The registry metadata lacks the CLAWCONNECT_API_KEY declaration present in the SKILL.md—ask the publisher to correct that. 2) Understand scope: one API key could permit reading/sending email, calendar events, messages, and posting on your behalf; only use with throwaway or limited-permission accounts during testing. 3) Confirm how the service stores and protects tokens, and whether you can revoke individual provider authorizations. 4) Prefer least privilege: restrict the aggregator's access in each connected service (use narrow OAuth scopes if possible). 5) If you need stronger assurance, request source code or a vendor security/privacy statement, or consider using well-known, audited integrations or a self-hosted connector. Additional information (official homepage, privacy/security docs, or source code) would raise confidence; absence of that information keeps this assessment at "suspicious."

Like a lobster shell, security has layers — review code before you run it.

latestvk97afmk2ypby83y8q6mt8ygmj980d1jr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments