contractor-marketing-cowork Security Report — Trusted | ClawSafe

5 /100

contractor-marketing-cowork

AI marketing department for contractors and home service businesses. 12 slash commands + 6 background skills for SEO, ads, social media, proposals, job costing, competitor audits, and more.

Pure documentation-based marketing skill with no executable code, no sensitive file access, and a publicly-documented Supabase anon key used for strategy lookups.

Skill Namecontractor-marketing-cowork

Duration28.9s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use as documented.

Findings 1 items

Severity	Finding	Location
Low	Supabase anon API key embedded in documentation Doc Mismatch SKILL.md line 43 contains a JWT-format Supabase API key in the Strategy Library curl example. This is an anon (public) key intended for client-side use and carries no elevated privileges. While not a security risk, embedding it in docs is poor practice. `apikey=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...` → Consider removing the API key from documentation and guiding users to provide their own key or use a server-side proxy.	`SKILL.md:43`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file I/O operations found; all content is markdown text
Network	`NONE`	`NONE`	—	No network calls in code; curl example is documented API usage, not executed
Shell	`NONE`	`NONE`	—	No bash/shell commands, scripts, or subprocess calls found
Environment	`NONE`	`NONE`	—	No os.environ or environment variable access found
Clipboard	`NONE`	`NONE`	—	Not referenced in any file
Browser	`READ`	`READ`	✓ Aligned	CONNECTORS.md documents browser use for GBP/Meta/Google Ads — clearly declared
Database	`NONE`	`NONE`	—	No direct DB access; Supabase REST call is documented API usage

3 findings

🔗

Medium External URL 外部 URL

https://heavymetric.com/strategies

README.md:37

🔗

Medium External URL 外部 URL

https://heavymetric.com

README.md:95

🔗

Medium External URL 外部 URL

https://dmlybcnpwtnaadmapdhl.supabase.co/rest/v1/strategies?or=(title.ilike.*QUERY*

SKILL.md:43

File Tree

21 files · 38.6 KB · 928 lines

Markdown 21f · 928L

├─ ▾ 📁 commands

│ ├─ 📝 ad-creative.md Markdown 44L · 1.7 KB

│ ├─ 📝 competitor-audit.md Markdown 54L · 1.6 KB

│ ├─ 📝 content-calendar.md Markdown 49L · 1.8 KB

│ ├─ 📝 email-sequence.md Markdown 46L · 1.8 KB

│ ├─ 📝 gbp-post.md Markdown 35L · 1.3 KB

│ ├─ 📝 job-cost.md Markdown 52L · 1.6 KB

│ ├─ 📝 lead-followup.md Markdown 43L · 1.5 KB

│ ├─ 📝 onboard.md Markdown 49L · 2.1 KB

│ ├─ 📝 proposal.md Markdown 54L · 1.9 KB

│ ├─ 📝 review-response.md Markdown 48L · 1.5 KB

│ ├─ 📝 social-batch.md Markdown 45L · 1.6 KB

│ └─ 📝 weekly-report.md Markdown 44L · 1.8 KB

├─ ▾ 📁 skills

│ ├─ ▾ 📁 contractor-ads

│ │ └─ 📝 SKILL.md Markdown 37L · 1.8 KB

│ ├─ ▾ 📁 contractor-email

│ │ └─ 📝 SKILL.md Markdown 27L · 1.6 KB

│ ├─ ▾ 📁 contractor-operations

│ │ └─ 📝 SKILL.md Markdown 31L · 1.6 KB

│ ├─ ▾ 📁 contractor-positioning

│ │ └─ 📝 SKILL.md Markdown 35L · 1.7 KB

│ ├─ ▾ 📁 contractor-seo

│ │ └─ 📝 SKILL.md Markdown 28L · 1.8 KB

│ └─ ▾ 📁 contractor-social

│ └─ 📝 SKILL.md Markdown 34L · 1.6 KB

├─ 📝 CONNECTORS.md Markdown 22L · 1.2 KB

├─ 📝 README.md Markdown 97L · 4.2 KB

└─ 📝 SKILL.md Markdown 54L · 2.9 KB

Security Positives

✓ No executable code — pure Markdown documentation only

✓ No scripts, shell commands, or subprocess calls

✓ No environment variable or credential access

✓ No sensitive file paths accessed (~/.ssh, ~/.aws, .env)

✓ No base64-encoded or obfuscated content

✓ No credential harvesting or data exfiltration

✓ All external capabilities (browser automation) clearly documented in CONNECTORS.md

✓ No supply chain risks — no dependencies, no package files

Scan Report

Findings 1 items

File Tree

Security Positives