ClawHub

Gmail Checker

v1.3.2

Check Gmail for unread inbox emails, filtered by priority. Use when asked to check emails, check inbox, email digest, email summary, or "any new mail". Outpu...

0· 94·0 current·0 all-time
by@99rebels
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
stale
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Gmail checking) align with the included scripts and README. The skill legitimately needs Google OAuth credentials; the package uses a file-based credential store rather than environment variables, which is a reasonable design choice for an interactive OAuth flow.
Instruction Scope
SKILL.md and references/setup.md describe only the Gmail OAuth setup, dependency installation, and running the two Python scripts. The runtime instructions do not request unrelated files, secrets, or network endpoints outside Google OAuth/Gmail APIs. They clearly document where credentials/config are saved and how to run the scripts.
Install Mechanism
This is instruction-only with no install spec; code files are plain Python and require publicly available google-auth libraries. There are no downloads from unknown hosts or archive extraction steps in the manifest.
Credentials
No environment variables are required by the registry metadata, but the skill optionally uses $SKILL_DATA_DIR (or defaults to ~/.config/gmail-checker) for storing credentials — this is documented. The setup asks the user for client_id/client_secret and saves the refresh token and client credentials to a local file (gmail.json). These are sensitive and grant read access to the mailbox; storing them is necessary for the stated purpose but users should treat that file as secret.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It persists only its own credentials/config in a single directory and sets file permissions to 0600.
Assessment
This skill appears to do what it says: it reads unread Gmail messages via the Gmail API. Before installing or running it, be aware that you must create Google OAuth credentials and supply the Client ID/Client Secret; the setup will save those plus a refresh token to a file (default: ~/.config/gmail-checker/gmail.json or $SKILL_DATA_DIR). That file is sensitive — treat it like a password. Only run this skill on a trusted machine or agent (avoid multi-tenant/shared CI runners) because anyone with that file and the client secret could access your mailbox with read scope. Confirm you are comfortable adding your Gmail address as a test user during the OAuth setup (the instructions require that for unverified apps). If you prefer not to store credentials on disk, do not install/run the skill. If you need additional assurance, inspect the two Python scripts — they use only Google OAuth and the Gmail REST API with readonly scope and contain no obfuscated or external endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fvqtnd95t6bbghn5c8x0x9h8466d7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments