Expanso email-triage
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s email-triage purpose is coherent, but it exposes sensitive email/calendar workflows through broad credentials, a network MCP endpoint, and default automatic calendar-event creation without clear approval controls.
Review this skill before installing. If you use it, bind the MCP server to localhost, use least-privilege email/calendar credentials, disable automatic calendar creation unless you explicitly want it, and confirm whether email contents will be sent to OpenAI or processed locally.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill could add events to your calendar automatically based on AI interpretation of emails.
Calendar-event creation is an account-mutating action and is enabled by default, but the artifacts do not show a user confirmation or rollback step before creating events.
create_calendar_events\n type: boolean\n default: true\n description: Automatically create calendar events from meeting requests
Set calendar creation to opt-in or preview-only by default, and require explicit user confirmation before creating or modifying calendar entries.
If run as documented, other machines that can reach the port may be able to trigger the triage endpoint and consume API access; with real email integration this could expose inbox-derived results.
The MCP/HTTP server listens on all network interfaces, and no authentication, caller identity check, or localhost-only restriction is shown.
http:\n enabled: true\n address: "0.0.0.0:${PORT:-8080}"\n...\nhttp_server:\n path: /triage\n allowed_verbs: [POST]Bind the server to localhost by default, add authentication/authorization, and document safe network exposure settings.
A malicious email could try to manipulate the model’s classification or generated actions, especially if calendar creation or other account changes are enabled.
Untrusted email body text is inserted directly into the LLM prompt, and the LLM output is then used for actions such as classification, response drafting, and calendar-event extraction.
"BODY: " + e.body.slice(0, 500) + "\n---" ... "Classify these emails:"
Treat email bodies as untrusted data, add prompt-injection-resistant instructions and validation, and require human review before downstream actions.
Installing or running the skill may require sensitive account tokens or passwords.
The requested credentials are purpose-aligned for email triage and calendar sync, but they grant access to private inbox, calendar, and AI-provider accounts.
credentials:\n - name: GMAIL_TOKEN\n - name: OUTLOOK_TOKEN\n - name: IMAP_PASS\n - name: OPENAI_API_KEY\n - name: CALENDAR_API_KEY
Use least-privilege tokens, avoid broad account scopes, and revoke credentials when no longer needed.
A remote pipeline could differ from the files reviewed here if the URL changes.
The documented cloud deployment fetches a remote pipeline URL rather than clearly pinning the reviewed local artifact to a hash or version.
expanso-cli job deploy https://skills.expanso.io/email-triage/pipeline-cli.yaml
Prefer deploying the reviewed local pipeline or pin the remote artifact by version/hash.
A user may overestimate how much processing remains local.
The privacy wording is broad, while the skill also uses a remote OpenAI backend and provider API credentials; users should understand which data and keys are sent to which providers.
# Credentials (stored locally, never transmitted)\n...\nbackends:\n - name: openai\n type: remote\n requires: [OPENAI_API_KEY]
Clarify that email content is sent to the selected AI backend and that API keys are used with their respective remote services.