Skillv1.0.0

ClawScan security

Expanso email-triage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (email triage + calendar sync) is coherent, but there are important mismatches and privacy/network exposure risks you should understand before installing.
Guidance: Before installing/running this skill: 1) Confirm the missing registry metadata: skill.yaml requires OPENAI_API_KEY (and optional email/calendar tokens) but the registry listing shows no required env — ask the publisher to correct this. 2) Understand privacy: by default the pipelines send email bodies to OpenAI (OPENAI_API_KEY). If your emails are sensitive, use the listed local backend (ollama) or another local model, or avoid using OpenAI. 3) Network exposure: the MCP pipeline binds to 0.0.0.0:${PORT}; do not run it on a public-facing host or without proper firewall/authentication. 4) Deployment: the SKILL.md includes a deploy to skills.expanso.io — deploying moves the pipeline to an external environment (read the cloud provider's privacy policy before doing so). 5) Credentials: store tokens securely (not checked into repos) and only provide the minimum required scopes for email/calendar APIs. 6) Test first with dummy/sample emails to confirm behavior and outputs. If you want to proceed, ask the publisher to fix the registry metadata discrepancy and to document whether any telemetry or external logging occurs during runtime.

Review Dimensions

Purpose & Capability: noteThe skill's declared purpose (email triage with calendar integration) matches the included pipelines and skill.yaml. However, registry-level metadata reported no required environment variables or primary credential while the included skill.yaml and pipeline files clearly require OPENAI_API_KEY and optionally GMAIL_TOKEN / OUTLOOK_TOKEN / IMAP credentials / CALENDAR_API_KEY. SKILL.md also requires the expanso-edge binary. The mismatch between registry metadata and the bundled YAML files is an inconsistency the publisher should clarify.
Instruction Scope: concernRuntime instructions and pipelines will send email content to an LLM (openai_chat_completion using OPENAI_API_KEY) — i.e., email bodies are transmitted to OpenAI unless you switch to a local backend. The MCP pipeline starts an HTTP server bound to 0.0.0.0:${PORT} which could accept remote requests; if you run this on a host reachable from untrusted networks it could be triggered remotely and cause processing of data and LLM calls. The SKILL.md also includes a deploy command that uploads the pipeline to an external URL (skills.expanso.io), which would move the pipeline to a cloud environment. None of these behaviors are hidden in the files, but they have privacy and exposure implications that go beyond a simple local helper.
Install Mechanism: okNo install spec is provided and the skill is instruction-only (no code to download/execute). That reduces supply-chain risk because nothing will be automatically fetched or written during install — you run the pipelines explicitly via the expanso-edge binary.
Credentials: concernThe skill requires an OpenAI API key (OPENAI_API_KEY is marked required in skill.yaml) and optionally email/calendar credentials (GMAIL_TOKEN, OUTLOOK_TOKEN, IMAP_*, CALENDAR_API_KEY). Those credentials are proportionate to the stated functionality, but the registry metadata did not declare these environment requirements (registry showed none), which is a discrepancy. Also note that while credentials/ OAuth tokens are claimed to 'stay local', email content will be sent to the LLM provider unless you use the local backend (ollama).
Persistence & Privilege: notealways:false and no install hook — the skill does not request persistent platform-level privileges. However, running the MCP pipeline effectively publishes a long-lived HTTP endpoint on the host; that is not a platform privilege, but it is a runtime exposure you should treat like a networked service (bind address, firewall, authentication).