Inbox Triage
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent for inbox triage, but it deserves review because it can give an agent recurring mailbox access and optional rules can move or share email information.
Before installing, decide whether the agent should only read email or also archive and escalate messages. Prefer read-only credentials, keep auto-archive in dry-run or approval mode, define exactly what can be sent to Telegram or backup contacts, and review any cron or memory configuration regularly.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent or configured mail CLI may be able to read message metadata and content from the connected mailbox.
The skill requires access to the user's email account through OAuth or IMAP credentials, which is expected for inbox triage but grants access to sensitive mailbox data.
Authenticate with OAuth (read-only scope is sufficient for triage) ... Configure with your IMAP credentials
Use the least-privileged option available, prefer read-only OAuth scopes where possible, use app-specific passwords for IMAP, and revoke access when no longer needed.
Important messages could be moved out of the inbox automatically and missed by the user.
The advanced instructions include commands that mutate the mailbox by moving or archiving messages. This is related to inbox-zero workflows, but it can hide important mail if classification is wrong and does not clearly require per-message approval after dry-run.
himalaya envelope move --folder INBOX --target Archive --ids [id1,id2,id3] ... gmail-archive --label "Agent-Archived" --ids [id1,id2,id3]
Keep auto-archive disabled or in dry-run mode until reviewed, require human confirmation for archive actions, and use a reversible label or folder with regular audits.
Sensitive email details or the existence of urgent messages could be disclosed outside the mailbox to Telegram or a backup contact.
The escalation pattern sends information derived from email triage to an external messaging channel or another person, but the artifact does not define recipient identity checks, content minimization, or approval requirements.
Urgent + no human response in 30 min → send reminder via Telegram ... Urgent + no response in 2h → send to backup contact
Whitelist exact escalation recipients, limit messages to minimal metadata, avoid forwarding bodies or attachments unless approved, and require explicit user confirmation for external sharing.
Email history, sender importance, and thread details may persist in agent memory and influence future triage decisions.
The advanced patterns suggest storing sender profiles and active thread status in persistent notes, which can retain sensitive relationship and business-context data across tasks.
Track ongoing email threads ... Active Threads (in daily memory notes) ... Build a sender profile over time ... Update profiles weekly.
Store only minimal metadata, redact sensitive subjects or names where possible, set retention limits, and periodically review or delete these memory notes.
The agent may keep checking email on a schedule after initial setup.
The skill documents recurring heartbeat and cron-based execution. This is disclosed and aligned with regular inbox checks, but it creates ongoing autonomous mailbox access.
Run inbox triage every 2-4 hours during work hours ... openclaw cron add --schedule "0 8,12,17 * * 1-5" --task "Run inbox triage, deliver report to main chat"
Enable recurring checks only intentionally, document how to disable them, and review cron or heartbeat configuration periodically.