ClawHub

Gmail Cleaner

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Gmail cleanup tool, but it can permanently delete mail, create lasting Gmail filters, and store reusable Gmail tokens with weak safety controls.

Install only if you are comfortable granting Gmail modification authority. Run scan.py and dry-run modes first, avoid deep_clean.py defaults unless you explicitly want Trash permanently purged, protect or revoke the token .pkl files, and install dependencies yourself in a trusted environment before running the scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (17)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from google.auth.transport.requests import Request
except ImportError:
    print("Installing required packages...")
    os.system(f"{sys.executable} -m pip install google-auth-oauthlib google-auth-httplib2 google-api-python-client -q")
    from google_auth_oauthlib.flow import InstalledAppFlow
    from google.auth.transport.requests import Request
Confidence
94% confidence
Finding
os.system(f"{sys.executable} -m pip install google-auth-oauthlib google-auth-httplib2 google-api-python-client -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from google.auth.transport.requests import Request
    from googleapiclient.discovery import build
except ImportError:
    os.system(f"{sys.executable} -m pip install google-api-python-client google-auth -q")
    from google.auth.transport.requests import Request
    from googleapiclient.discovery import build
Confidence
92% confidence
Finding
os.system(f"{sys.executable} -m pip install google-api-python-client google-auth -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from google.auth.transport.requests import Request
    from googleapiclient.discovery import build
except ImportError:
    os.system(f"{sys.executable} -m pip install google-api-python-client google-auth -q")
    from google.auth.transport.requests import Request
    from googleapiclient.discovery import build
Confidence
94% confidence
Finding
os.system(f"{sys.executable} -m pip install google-api-python-client google-auth -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from google.auth.transport.requests import Request
    from googleapiclient.discovery import build
except ImportError:
    os.system(f"{sys.executable} -m pip install google-api-python-client google-auth -q")
    from google.auth.transport.requests import Request
    from googleapiclient.discovery import build
Confidence
96% confidence
Finding
os.system(f"{sys.executable} -m pip install google-api-python-client google-auth -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from google.auth.transport.requests import Request
    from googleapiclient.discovery import build
except ImportError:
    os.system(f"{sys.executable} -m pip install google-api-python-client google-auth -q")
    from google.auth.transport.requests import Request
    from googleapiclient.discovery import build
Confidence
90% confidence
Finding
os.system(f"{sys.executable} -m pip install google-api-python-client google-auth -q")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
from google.auth.transport.requests import Request
    from googleapiclient.discovery import build
except ImportError:
    os.system(f"{sys.executable} -m pip install google-api-python-client google-auth -q")
    from google.auth.transport.requests import Request
    from googleapiclient.discovery import build
Confidence
88% confidence
Finding
os.system(f"{sys.executable} -m pip install google-api-python-client google-auth -q")

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and relies on file access, network access, and shell execution, yet the manifest declares no permissions or guardrails. For a skill that can authenticate to Gmail and perform destructive actions, this mismatch prevents informed consent and weakens policy enforcement around sensitive capabilities.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatically installing Python packages during auth is not necessary to the core Gmail-cleaning function and expands the script's capabilities beyond OAuth handling. This increases supply-chain and execution risk because the script may fetch and execute third-party code from package repositories without explicit user approval.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Installing Python packages during execution is not necessary for the Gmail-cleaning function itself and introduces a network-dependent supply-chain risk at the moment the tool is handling high-impact Gmail OAuth credentials and bulk-delete capabilities. This makes the skill more dangerous because a compromised package, index, or environment could execute attacker-controlled code before or during mailbox operations.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Automatically installing Python packages through pip from inside the script causes code from external repositories to be fetched and executed during normal use. In the context of a Gmail cleaner that handles OAuth credentials and performs destructive mailbox actions, this behavior is riskier because it mixes privileged email access with unprompted software installation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Auto-installing Python packages via a shell command is not necessary for the core Gmail organization function and creates unnecessary exposure to dependency confusion, compromised packages, and unexpected code execution. In a skill that processes mailbox data and OAuth tokens, this behavior is more dangerous because it combines privileged access with implicit software installation.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
A Gmail scanning utility should not need to mutate the Python environment by silently installing packages during execution. This expands the trust boundary from local mailbox metadata access to arbitrary third-party code retrieval and execution, which is especially concerning in an agent skill that may be run unattended across multiple environments.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The description uses very broad activation language such as 'clean Gmail' and 'bulk-delete emails by sender,' which can match common user requests without strong boundaries or confirmation thresholds. In this context, over-broad triggering is risky because the skill can delete or trash large volumes of email and modify account settings.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script persists OAuth credentials to disk in a pickle file without warning about sensitivity, lifecycle, or local access protections. Stored Gmail tokens can grant ongoing mailbox access and, because pickle is used, later loading the file also creates deserialization risk if the file is tampered with.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script executes automatic package installation without warning or confirmation, which can surprise users and trigger shell-based actions they did not approve. This is especially concerning in an agent skill because users may expect only Gmail cleanup operations, not environment modification and remote package retrieval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script silently installs dependencies by executing pip without warning or user approval. This is dangerous because it causes network access and execution of newly downloaded code in the user's environment, creating supply-chain exposure and surprising side effects; in a Gmail automation skill, that risk is amplified because the process also handles OAuth tokens and mailbox modification capabilities.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: gmail-cleaner
description: Clean and organize Gmail accounts in bulk. Use when asked to clean Gmail, remove spam, trash newsletters/promotional emails, bulk-delete emails by sender, create labels, set up auto-filters, or restore emails from trash. Handles single or multiple Gmail accounts via OAuth token files. Works with any Gmail account using the Gmail API.
---

# Gmail Cleaner
Confidence
95% confidence
Finding
create labels, set up auto-filters, or restore emails from trash. Handles single or multiple Gmail accounts via OAuth token files. Works with any Gmail account using the Gmail API. --- # Gmail Cleane

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal