X to Kindle
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s main function is coherent, but it asks for a Gmail app password to be stored in a persistent TOOLS.md file while the registry declares no credential or config requirement.
Review this skill before installing. Its core idea is reasonable, but do not place a primary Gmail app password in a shared or broadly readable TOOLS.md file. Prefer a dedicated sender account, protected secret storage, and manual confirmation before each Kindle email is sent.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the app password is misused or exposed, someone or another tool could potentially send email from the user’s account.
The skill requires a delegated email credential that can authorize SMTP sending from the user’s account, but the registry metadata says there is no primary credential or required environment variable.
- Gmail account with App Password (or other SMTP setup)
Use a dedicated email account or tightly scoped SMTP credential if possible, revoke it when no longer needed, and avoid granting the skill access to a primary Gmail account.
A stored app password could be exposed to other workflows or retained longer than intended, increasing the risk of account misuse.
The skill tells the user to persist a sensitive email credential in TOOLS.md, which may be reused across tasks and is not described with access-control, retention, or isolation guidance.
Store in TOOLS.md: ... App Password: xxxx xxxx xxxx xxxx
Store the SMTP password in a secret manager or protected environment variable instead of a general TOOLS.md file, and document who or what can read it.
The agent may send an email from the configured account when it believes the user wants a tweet sent to Kindle.
Sending email through SMTP is central to the skill’s purpose, but it is still a mutating action using the user’s email account.
Send via SMTP to user's Kindle address with subject line as tweet preview.
Confirm the Kindle recipient and tweet/thread before sending, especially on first use.