Skillv1.0.3

ClawScan security

Gmail Label Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 13, 2026, 11:55 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a Gmail-labeling utility but the shipped script contains undeclared credentials, hard-coded personal data, hidden control characters in the instructions, and likely telemetry/exfiltration hooks (Telegram) that are not explained — review before use.
Guidance: This skill includes a large shell script that does most of the real work — do not run it blindly. Before installing or running: 1) Open script.sh and search for any network calls (curl, wget, nc, telegram API usage) — if present, understand what data is sent and where. 2) Remove or sandbox any hard-coded personal names/domains if you will reuse the skill for others. 3) Be cautious about providing TELEGRAM_BOT_TOKEN / TELEGRAM_CHAT_ID — those env vars are not declared by the skill but the script will use them if set and can forward data to Telegram. 4) Ensure required binaries (gog, jq) are installed and that you authenticate 'gog' to a Gmail account you control/test with only non-sensitive messages. 5) Consider running the script in an isolated environment (throwaway Gmail account, container) and monitor network traffic to confirm no unexpected exfiltration. 6) If you need this functionality but want safer behavior, request a version that documents dependencies, removes hidden control characters, and makes any telemetry (e.g., Telegram) opt-in and explicitly documented.
Findings: [unicode-control-chars] unexpected: The SKILL.md contained unicode control characters detection. Hidden/zero-width characters in instruction text may be an attempt at prompt manipulation or accidental corruption; either way it is unexpected for a straightforward skill README and warrants manual inspection.

Review Dimensions

Purpose & Capability: noteThe SKILL.md and script both describe classifying and labeling Gmail messages (needs a Gmail-capable CLI such as 'gog'), which is coherent. However the skill metadata declares no required env vars or binaries while the script clearly expects additional tools (jq, gog) and optional Telegram credentials — a mismatch.
Instruction Scope: concernSKILL.md instructs installing 'gog' and running script.sh. The script, however, reads a local config.json, writes logs, contains many hard-coded personal/family identifiers and domains, and references Telegram logging variables and files not mentioned in SKILL.md. These additional behaviors expand scope beyond the documented workflow and could expose sensitive email content.
Install Mechanism: okNo install spec (instruction-only) — nothing is downloaded or executed automatically by an installer. Risk from install mechanism itself is low, but running the included script will write files to disk (logs) and may perform network calls.
Credentials: concernThe skill registry lists no required environment variables, but the script expects TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID (and implicitly requires tools like jq and a Gmail-authenticated 'gog' CLI). Telegram credentials can be used to send messages (potential exfiltration). Multiple sensitive domains/names are hard-coded, which is unusual for a general-purpose skill.
Persistence & Privilege: notealways:false (normal). The script creates local logs and config files in its own directory (local persistence) but does not request system-wide configuration changes. The combination of local logs plus optional Telegram forwarding increases the blast radius for sensitive data, but there is no indication it modifies other skills or global agent settings.