ClawHub

gmailcleaner

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Gmail automation suite, but it is broader and more persistent than a simple reader and can move, send, export, monitor, and externally process sensitive email data.

Install only if you want a broad Gmail automation suite, not just a reader. Before use, limit Google scopes where possible, require previews before bulk delete/archive/send/export actions, keep recurring jobs and external notifications off unless explicitly needed, avoid raw user text in shell commands, and periodically review or delete local email logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The skill instructs the agent to write a persistent local audit log containing email-management activity to ~/.openclaw/workspace/email_audit.log, which expands data handling beyond the stated Gmail organization function. Even if it only stores summaries, this creates an additional local record of potentially sensitive mailbox activity and may violate user expectations, retention limits, or least-privilege principles.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The workflow tells the user it will permanently delete spam, but the command shown only moves messages to trash. This mismatch is dangerous because users may make decisions based on false assumptions about irreversibility, and an agent could later substitute truly destructive behavior or mis-handle confirmations due to unclear semantics.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is presented as a reporting/statistics tool, but it also documents state-changing operations such as updating/appending Google Sheets and restoring Gmail messages from trash. This violates least privilege and can cause unintended data modification or recovery actions under the guise of a read-only reporting workflow.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Undoing trash operations is unrelated to email reporting and introduces mailbox state-changing power that could be abused or accidentally triggered. A reporting skill should not have authority to restore deleted messages, especially when users may invoke it expecting only summaries or statistics.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Reading local audit logs and storing extracted prompt content in workspace files extends the skill beyond email reporting into local surveillance and persistence of potentially sensitive data. This increases exposure of user activity and email-derived content without a clear need for the core function.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill expands from email reading into cross-channel notification delivery by requiring a NOTIFY_CHANNEL and describing alert transport over Telegram, Slack, WhatsApp, iMessage, and Discord. That materially broadens the trust boundary because mailbox-derived content may be transmitted to external services, increasing privacy and data leakage risk beyond the stated purpose of simply reading email.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The documentation introduces persistent background automation via cron jobs and heartbeat monitoring, allowing recurring mailbox access and autonomous actions outside the user’s immediate request. In the context of an email-reader skill, this is more dangerous because it turns a bounded read operation into continuous surveillance and action orchestration, which can expose sensitive email content over time and normalize unattended access.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill goes beyond reading messages by proposing spam cleanup and follow-up workflows, which introduce message management and quasi-transactional behavior. Even where deletion asks for confirmation, embedding these workflows in the skill increases the chance of users enabling operations that can alter mailbox state or trigger unintended business communications.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The README uses very broad, natural phrases like 'Revisa mi correo' and '¿Hay algo urgente en mi inbox?' as invocation examples, which can cause the skill to trigger during ordinary conversation rather than only when the user clearly intends to invoke email access. In a skill with Gmail read access across all folders/labels, accidental activation can expose sensitive message content or metadata without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises email sending, automated scheduling, and batch cleanup capabilities but does not include clear warnings about privacy, account impact, mistaken sends, or destructive actions. Because these skills operate on Gmail and may automate outbound communication or mailbox changes, users may enable them without understanding the sensitivity of the data and the consequences of automation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This skill enables broad access to highly sensitive Gmail content across all folders and labels, including spam, trash, drafts, and potentially multiple accounts, but it does not require explicit user confirmation, data-minimization guidance, or any privacy warning. In an agent setting, that can lead to over-collection of private communications and unnecessary exposure of sensitive personal or business data beyond the user's immediate request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs sending batches of Gmail email contents to Anthropic for analysis, but does not require a user-facing consent or warning about the privacy and data-handling implications. Because emails can contain highly sensitive personal, financial, legal, or corporate data, silent transmission to an external AI service creates a real confidentiality and compliance risk.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation text is broad enough to match generic requests for reports, summaries, statistics, or exports, which may cause this skill to activate outside narrowly scoped email-reporting tasks. Overbroad triggering increases the chance of unintended access to mailbox data or export behavior when another tool would be more appropriate.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises exporting email-derived data to Google Sheets or local files without prominently warning that message metadata and possibly sensitive contents may be copied to other storage locations. This can lead to unintentional data exposure, retention, and broader access than the original mailbox context.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Logging detected prompts from emails into a local markdown file persists potentially sensitive or adversarial content outside Gmail without a warning or consent flow. This creates unnecessary retention, expands the attack surface, and may preserve prompt-injection text where other components could later consume it.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes ongoing automated mailbox monitoring and notification behavior without a clear privacy warning that email metadata and summaries may be continuously processed and forwarded to third-party channels. In this context, the omission is significant because users may not realize they are authorizing persistent background access and external disclosure of potentially sensitive communications.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal