ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Secure Gmail

v0.1.0

Secure Gmail skill using Composio brokered OAuth — no raw tokens stored locally. Reads, searches, and drafts emails with least-privilege enforcement. Blocks...

0· 340·0 current·0 all-time
byCoinVest AI Innovations@coinvest518
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and prose repeatedly assert read-only + draft-only behavior and that send/delete are blocked at the Composio gateway. However agent.py creates a session enabling the GMAIL_SEND_EMAIL tool in the allowed list. The registry metadata also does not list the COMPOSIO_API_KEY even though SKILL.md requires it. These contradictions indicate the code footprint does not match the claimed least-privilege purpose.
!
Instruction Scope
Instructions explicitly direct running agent.py and creating a .env with COMPOSIO_API_KEY, which is expected. But the runtime instructions forbid sending emails; the agent.py implementation nevertheless enables the send tool. If Composio fails to enforce the claimed gateway-level block, the skill could attempt sends. The instructions rely on external enforcement rather than demonstrating code-level prevention.
Install Mechanism
This is an instruction-only skill with no install spec in the registry, but SKILL.md tells operators to run `pip install python-dotenv composio`. Installing a third-party 'composio' package from PyPI (or elsewhere) without a pinned, audited release is a moderate risk. No packaged install spec or pinned dependency list is provided.
!
Credentials
SKILL.md requires a COMPOSIO_API_KEY in a skill .env, which is proportionate for a brokered API. However the registry metadata in the top-level manifest claims 'Required env vars: none' and 'Primary credential: none' — a mismatch that reduces transparency and prevents automated permission checks. The single env var requested is otherwise reasonable.
Persistence & Privilege
The skill is not always: true and requests no special system-wide config paths. Autonomous invocation is allowed (default) but is not itself a unique red flag here. The skill does instruct storing COMPOSIO_API_KEY in a per-skill .env, which is expected for this design.
What to consider before installing
Do not install or enable this skill for broad use until the developer resolves the contradictions. Specifically: (1) Ask the author to remove GMAIL_SEND_EMAIL from agent.py's enabled tool list (or explain why it must be present) and provide a corrected, audited agent.py that only enables read/draft slugs. (2) Update the registry metadata to declare COMPOSIO_API_KEY as a required env var so platform permission checks can surface it. (3) Require a pinned, auditable dependency spec (requirements.txt or install spec) for the 'composio' package and verify its provenance. (4) Request proof from Composio (or run a controlled test) showing that attempts to use GMAIL_SEND_EMAIL are rejected and logged in the Composio dashboard. (5) If you must test, run the skill in a restricted account and verify Composio logs show only allowed actions. These steps will reduce the risk that the skill can send or delete emails despite its 'read-only' claims.

Like a lobster shell, security has layers — review code before you run it.

latestvk978f417vbzy2z7hwwxvkeqvc5825c54

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments