ClawConnect
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key or connected service is misused, an agent could access or act through several of your accounts.
A single bearer token is presented as the authority for multiple personal and work accounts, including services with read and send/post capabilities.
Connect your accounts (Twitter, Gmail, Calendar, Slack, Discord) ... All requests require `Authorization: Bearer <API_KEY>`
Only connect accounts you truly need, use the narrowest OAuth scopes available, store the API key carefully, and verify how to revoke both the key and connected accounts.
An agent could send public or workplace messages if it uses these endpoints without clear user approval.
The skill exposes high-impact write actions to external accounts. It includes confirmation guidance for tweets and emails, but does not clearly require approval for all write actions such as Slack messages.
Post a tweet ... /twitter/tweet ... Send email ... /gmail/send ... Send a message ... /slack/send ... Confirm before sending tweets or emails.
Require explicit user confirmation before every write action, including Slack messages, and review recipient/channel/content before sending.
Email, calendar, Slack, Twitter, or Discord data requested by the agent may be handled by the ClawConnect service.
Sensitive account data is accessed through the ClawConnect gateway. This is aligned with the connector purpose, but users should understand that account data may pass through that external service.
Base URL: `https://clawconnect.dev` ... List emails ... Get email by ID ... List workspace users ... List channels
Review the provider's privacy, retention, and logging practices before connecting sensitive accounts.
It may be harder to verify who operates the service before granting account access.
The registry does not provide a source or homepage, while the skill asks users to trust an external account-connector service.
Source: unknown; Homepage: none
Confirm the service's legitimacy, operator, terms, and support/revocation process before connecting accounts.