Code Right Skill
PassAudited by ClawScan on May 14, 2026.
Overview
The skill appears coherent and purpose-aligned, but it sends the provided system name, email, and optional access token to softcraft.cloud to run a remote background job and email results.
This skill looks safe for its stated purpose, but it depends on an external service. Before installing or using it, make sure you trust softcraft.cloud with the project name, recipient email, and any optional access token, and confirm the email address before asking the agent to create a task.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The remote provider receives the project name and email address and can use them to generate and deliver the requested materials.
The script sends the user-provided system name and notification email to an external service over HTTPS.
DEFAULT_API_BASE = "https://softcraft.cloud" ... payload = {"systemName": args.system_name, "notifyEmail": args.notify_email}Only submit system names and email addresses you are comfortable sharing with softcraft.cloud, and verify the recipient address before running the task.
If a user provides a token, that token may authorize task filtering or downloads with the remote service.
An optional access token can be supplied and is forwarded to the remote API as a header.
parser.add_argument("--access-token") ... headers["access_token"] = args.access_tokenUse only the intended service token, avoid pasting unrelated credentials, and rotate the token if it is accidentally shared.
If invoked with the wrong email address, generated materials or a download link could be sent to the wrong recipient.
Invoking the skill creates a remote task that packages output and automatically emails a download link.
ZIP 打包 + 邮件发送 — 完成后自动发下载链接到邮箱
Have the agent confirm the system name and notification email before creating the task, especially for legal or business documents.