Tmp.Mw5jO0UIvc
WarnAudited by ClawScan on May 12, 2026.
Overview
The skill is clearly for Gmail, but it gives an unreviewed MCP package broad authenticated Gmail powers, including sending, forwarding, auto-replying, bulk deletion, and persistent account-setting changes without clear approval limits.
Install only if you trust the npm package and are comfortable granting it Gmail access. Pin and verify the package, check OAuth scopes, and require explicit confirmation before sending, forwarding, auto-replying, deleting mail, or changing forwarding, delegate, send-as, vacation, watch, filter, or tracking settings.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could act through the user's Gmail account, including reading mail, changing labels, and sending messages.
The skill expects an already-authenticated Gmail account and selects it by environment value, but the artifacts do not state OAuth scopes, permission boundaries, or credential handling.
- [gogcli](https://github.com/steipete/gogcli) installed and authenticated ... "GOG_ACCOUNT": "you@gmail.com"
Use only with a Gmail account you intend to delegate, verify OAuth scopes, and prefer a dedicated or least-privilege account if possible.
A broad or mistaken request could delete many emails or send/forward/reply to recipients unintentionally.
The skill exposes destructive and external-communication tools, including query-based bulk actions and permanent deletion, without documented confirmation, dry-run, or scope limits.
`gog_gmail_trash` | Trash by IDs or query ... `gog_gmail_batch_delete` | Permanently delete multiple messages ... `gog_gmail_drafts_send` | Send a draft ... `gog_gmail_autoreply` | Reply once to all messages matching a query
Require explicit user confirmation and a preview before sending, forwarding, auto-replying, trashing, archiving, or permanently deleting messages.
A mistaken action could keep forwarding mail, granting delegate access, sending vacation responses, or tracking email activity after the user expected the task to end.
These Gmail settings can persist beyond a single chat or task, such as forwarding, delegation, vacation replies, watches, and tracking, but no approval or cleanup workflow is specified.
Use `gog_gmail_run` for advanced settings (`filters`, `delegates`, `forwarding`, `sendas`, `vacation`, `watch`) and email tracking (`track`).
Treat all persistent Gmail setting changes as high-risk: require explicit approval, summarize the exact setting changed, and provide a clear rollback step.
The code that handles Gmail access may differ from what was reviewed, and a package update or compromise could affect the user's email account.
The setup fetches and runs an npm MCP package with auto-confirmation and no pinned version, while the provided artifact set contains no code files for that package.
"command": "npx", "args": ["-y", "gogcli-mcp-gmail"]
Pin the package version, verify the npm package matches the claimed source repository, and review the code before granting Gmail access.
Private messages and attachments may be processed by the agent and any connected MCP tooling.
Reading raw message data and attachments through an MCP server is expected for a Gmail skill, but it means sensitive email content can enter the agent/tool context.
`gog_gmail_raw` | Raw Gmail API JSON for a message ... `gog_gmail_attachment` | Download a single attachment
Avoid using the skill on highly sensitive mail unless you trust the MCP server and understand the agent platform's logging and retention behavior.