Skillv1.0.0

ClawScan security

gmailcleaner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 10:40 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (reading and managing Gmail via the gog CLI) is broadly consistent with its instructions, but there are several metadata and scope inconsistencies and a few behaviors (cron/heartbeat, logs, use of external AI API) you should verify before installing.
Guidance: What to check before installing/using this skill: 1) Fix/inspect metadata: the registry shows 'Required env vars: [object Object]'. Confirm the skill will request only the env vars you expect (GOG_ACCOUNT; optionally ANTHROPIC_API_KEY and NOTIFY_CHANNEL). Ask the publisher to correct the package metadata. 2) Inspect the brew tap before installing: the formula comes from steipete/tap. Review the tap/formula repository (and gog CLI source) so you trust the binary you're installing. 3) OAuth credentials: the skill requires you to provide Google OAuth credentials (client_secret.json) and run gog auth. Keep that credentials file private and follow Google best practices. Be careful where you store it and who you grant file permissions to. 4) External AI API: the analyzer and responder use Anthropic (ANTHROPIC_API_KEY) to process email contents unless privacy_mode is enabled. Only provide that API key if you are comfortable with email content being sent to that external service; enable privacy_mode (or anonymize sensitive content) if you prefer. 5) Confirm destructive and automated actions: email-organizer includes destructive commands (trash/delete) but the docs mandate explicit confirmation. Before enabling scheduled cron/heartbeat jobs or allowing the agent to run automatically, confirm whether enabling is manual. Do not enable automatic background jobs or notification channels until you understand what will run and when. 6) Audit/logs and exports: the skill saves audit logs and detected prompts to files in ~/.openclaw/workspace and can export data to Google Sheets via gog sheets (requires SHEET_ID/credentials). If you want privacy, verify where logs are stored and consider enabling privacy_mode. 7) Test in a controlled environment: try read-only queries first (search/get) and avoid granting send/delete permissions until satisfied. Ask the skill author whether any install step will write to OpenClaw config files automatically or only provide instructions for you to apply. If you want, I can produce a short checklist of specific commands and files to inspect (brew formula URL, gog binary SHA, openclaw config diffs) before installing.
Findings: [prompt-injection-ignore-previous-instructions] expected: The analyzer explicitly looks for prompt-injection patterns inside email bodies (e.g., 'Ignore previous instructions'). Detection of these strings in SKILL.md is expected because the skill is designed to find such text in emails. [prompt-injection-you-are-now] expected: The analyzer's detection list includes 'you are now' and similar phrases; presence of these examples in the SKILL.md is consistent with the analyzer functionality (not evidence of maliciousness by itself).

Review Dimensions

Purpose & Capability: noteThe name/description (Gmail reader/manager) match the runtime instructions: all commands use the gog CLI and the documented env vars (GOG_ACCOUNT, ANTHROPIC_API_KEY for analyzer/responder, NOTIFY_CHANNEL for scheduler) make sense for the listed features. However, the registry-level 'Required env vars' field is malformed ([object Object]) which is inconsistent with the SKILL.md files and suggests a metadata/packaging error that should be fixed.
Instruction Scope: concernThe SKILL.md instructions go beyond simple read-only queries: they show how to configure OAuth credentials (client_secret.json), read and write local OpenClaw files (~/.openclaw/openclaw.json, HEARTBEAT.md, ~/.openclaw/workspace/email_audit.log, prompts_log.md), and set up cron/heartbeat jobs and notification channels. Organizing/deleting commands include examples of destructive batch operations (trash/delete) — the organizer doc mandates user confirmation, but the skill's ability to create scheduled automation and write configs means it can enable persistent background actions. The analyzer/responder parts also instruct sending email content to an external AI service (Anthropic) unless privacy_mode is enabled. These behaviors are within the skill's purpose but increase impact and require explicit user consent and careful configuration.
Install Mechanism: noteInstall uses a Homebrew formula: steipete/tap/gogcli which produces the gog binary. A brew tap is a standard install path; however it is a third-party tap (not the main Homebrew core). This is a moderate-risk install source compared with an official project/tap — you should inspect the tap/formula source before installing.
Credentials: concernRequested environment/config access in SKILL.md (GOG_ACCOUNT, optional ANTHROPIC_API_KEY, NOTIFY_CHANNEL) is justified by the skill features. Concerns: (1) SKILL registry metadata is malformed and doesn't clearly list the required env vars; (2) the skill requires OAuth client credentials (client_secret.json) and instructs running 'gog auth credentials /path/to/client_secret.json' — that requires access to a local secrets file; (3) analyzer/responder will send email content to an external AI API (Anthropic) unless privacy_mode is enabled, so providing that API key allows email contents to be sent to a third-party. These are proportionate only if you knowingly provide them.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges, but it documents how to add cron jobs and heartbeat entries (scheduled background checks and notifications) and to write audit logs and prompt-detection logs. That gives it a persistent effect once enabled. The SKILL.md generally recommends confirmations for destructive actions and asks the user before activating scheduled jobs, but you should confirm whether the agent or the install routine will modify configs automatically or only provide instructions.