Gmail Label Routing
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with the wrong sender or label, existing and future emails could be labeled or archived unexpectedly.
The workflow can batch-modify existing Gmail messages and defaults to removing matching messages from Inbox unless the user chooses --keep-inbox.
inbox_group.add_argument("--remove-inbox", dest="remove_inbox", action="store_true", default=True) ... "messages", "batchModify"Confirm the exact senders, label, and Inbox behavior before running; use --dry-run first for uncertain requests.
The skill operates with the Gmail account authority available in the selected local OAuth credential file.
The script reads local OAuth credentials containing a refresh token and uses them to obtain Gmail API access.
DEFAULT_CREDENTIAL_CANDIDATES = ["/root/.config/gws/credentials.new.json", "/root/.config/gws/credentials.json"] ... "refresh_token"
Use only the intended Gmail credential file, avoid over-scoped tokens where possible, and do not provide unrelated account credentials.
A user may not realize from the metadata alone that the skill needs local Gmail tooling and credential files.
The registry metadata does not declare the local gws dependency or OAuth credential files that the included workflow relies on.
Required binaries (all must exist): none ... Primary credential: none ... Required config paths: none
Document the gws dependency and expected OAuth credential path before installation or use.