ClawHub

Gmail-digester

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it says—read recent unread Gmail over IMAP and send a digest—but it requires mailbox credentials and exposes email content to the agent for summarization.

Before installing, make sure you are comfortable giving this skill IMAP access to your mailbox. Prefer an app password or limited credential, set it through environment variables if possible, verify the IMAP host is really Gmail or your intended server, and ensure the agent treats email contents as private untrusted text to summarize only.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Installing and using the skill requires credentials that can read the user's mailbox.

Why it was flagged

The script authenticates to an IMAP mailbox and reads the inbox. This is expected for a Gmail digest skill, but it grants access to private email.

Skill content
client = imaplib.IMAP4_SSL(IMAP_HOST, IMAP_PORT)
client.login(USERNAME, PASSWORD)
client.select("INBOX")
Recommendation

Use a Gmail app password or otherwise limited credential where possible, prefer environment variables over a password file, verify the IMAP host, and revoke the credential when no longer needed.

#
ASI06: Memory and Context Poisoning
Low
What this means

Private email snippets enter the agent context, and a malicious email could try to influence the agent if the agent follows embedded instructions.

Why it was flagged

The script emits email body text for the agent to summarize. Email bodies are private and externally supplied content, so they should be treated as untrusted data rather than instructions.

Skill content
results.append({
        "sender":  sender,
        "subject": subject,
        "date":    date_str,
        "body":    body,
    })
Recommendation

Add or enforce an instruction that email content is data only, should not be obeyed as commands, and should not be stored or reused outside the digest task.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

A user may not realize from registry metadata alone that the skill needs Python and mailbox credentials.

Why it was flagged

The registry metadata does not surface the Python runtime and IMAP credential requirements that are documented in SKILL.md. This is not hidden in the skill text, but users relying on metadata alone may miss the setup and credential needs.

Skill content
Required binaries (all must exist): none
Required env vars: none
Env var declarations: none
Primary credential: none
Recommendation

Update registry metadata/capability declarations to list the Python runtime, IMAP_USERNAME, IMAP_PASSWORD, optional IMAP host/port settings, and the mailbox-access credential.