Email Autopilot
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill is not clearly malicious, but it asks for broad, ongoing control of a user's email account without a declared email authorization, scope, or data-retention boundary.
Only install this if you are comfortable granting broad mailbox access. Before use, confirm the exact email account, OAuth scopes, folders, retention policy, approval steps for send/archive/unsubscribe actions, and how to disable recurring checks or delete learned writing-style data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may grant or rely on broad mailbox authority without a clear statement of which account, credential, or OAuth scopes the skill needs.
The registry/requirements do not declare an email credential or scope even though the skill description and instructions require delegated access to a user's email account for reading, sending, archiving, and unsubscribing.
Description: "Triages your inbox by urgency and importance, drafts..." / "Primary credential: none" / "Required env vars: none"
Require an explicit email-provider authorization model, minimal read/send scopes, and separate user approval for destructive or account-changing permissions.
Private email content, relationship context, and writing style could be retained or reused in ways the user did not expect, and misleading email content could influence future summaries or drafts.
The skill implies persistent learning from private sent mail and user edits, but the visible artifacts do not define storage location, retention period, deletion controls, or limits on reuse across future tasks.
"The agent reads your sent mail history to learn your natural writing style" ... "The agent learns from your edits to improve future drafts"
Add explicit controls for what mail is analyzed, whether style learning is enabled, where learned data is stored, how long it is retained, and how the user can review or delete it.
The agent could continue monitoring and classifying email beyond a single user-requested action if the platform supports those automatic triggers.
The skill describes recurring autonomous operation over the mailbox, but the artifacts do not specify how scheduling is enabled, disabled, limited, or audited.
"Trigger: \"Check my email\", or automatically every morning as part of morning briefing" ... "Trigger: Automatic after every email you send"
Make recurring runs explicitly opt-in, provide a visible schedule and stop control, and log each automated mailbox access.
Important messages could be archived or subscriptions could be changed if the agent misclassifies email or if the user approves a broad action without enough detail.
The skill includes mailbox-mutating operations based on automated classification. Sending and unsubscribing have approval language, but the archive-all flow may hide messages after only a summarized noise count, and reversibility is not specified.
"Noise count shown with one-tap option to archive all" ... "Agent handles the unsubscribe action for each approved sender"
Show the exact messages/senders before archive or unsubscribe actions, require confirmation for bulk changes, and document how to undo changes.