Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
gmailcleanerfall
v1.0.0Read/search Gmail via gog CLI (preferred) or Python scripts (fallback). Inbox check, email search, content retrieval, IMAP support.
⭐ 0· 362·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The registry name/description and the top SKILL.md describe an email reader, but the bundle includes organizer, responder, scheduler, analyzer, reporter, and their Python scripts that perform destructive actions (trash/delete), create/send drafts, manage labels, and modify cron/heartbeat. Having those management/send/scheduling features is disproportionate if the published skill is intended only for reading/searching.
Instruction Scope
Runtime instructions tell the agent to run gog commands and Python scripts which is expected, but other SKILL.md files instruct editing ~/.openclaw/openclaw.json, adding cron/heartbeat entries, and running batch operations (jq|xargs) with --no-input. Those steps extend scope from 'read' to persistent automation and mailbox modifications; some example flows include irreversible deletes and automated scheduled actions.
Install Mechanism
Install uses a third-party Homebrew tap (steipete/tap/gogcli) to install 'gog' — not a built-in core formula. Python fallback instructions advise pip installing multiple packages (google-api-python-client, cryptography, anthropic, etc.). No arbitrary downloads/extract-from-unknown-URL were found, but the third-party brew tap raises moderate trust risk and should be inspected before installing.
Credentials
Registry metadata shows malformed env entries ("[object Object]") while SKILL.md and code reference multiple environment variables: GOG_ACCOUNT, GMAIL_CREDENTIALS_PATH, (and in code) GMAIL_TOKEN_PATH, GMAIL_KEY_PATH, ANTHROPIC_API_KEY, IMAP_USER/IMAP_PASSWORD, and others. Scripts require OAuth credentials and an encryption key file (token.key) and may create token files on disk. The declared env vars do not fully account for what the code actually uses, which is disproportionate and risky.
Persistence & Privilege
The skill is not always:true, but includes instructions and scripts to add cron/heartbeat entries and run continuous schedulers; combined with send/modify/delete capabilities this gives a path to persistent automated mailbox operations if the user enables scheduling. The code logs actions to an audit file under the workspace, but the presence of scheduling and send/delete capabilities increases the potential blast radius.
Scan Findings in Context
[ignore-previous-instructions] expected: The analyzer SKILL.md explicitly lists prompt-injection patterns (e.g., 'Ignore previous instructions') as items to detect; the pre-scan flagged that phrase. This is likely the skill documenting prompt-injection indicators rather than containing a malicious embedded instruction, but the scanner's finding is worth noting.
What to consider before installing
What to consider before installing:
- Metadata mismatch: The registry metadata for required env vars appears malformed; ask the publisher for corrected/complete required env variable names and a clear list of permissions the skill needs.
- Broad capabilities: Although the top-level description says 'read/search Gmail', the package contains organizer/responder/scheduler scripts that can move/delete messages, create/send drafts, and schedule cron/heartbeat jobs. Only install if you accept those actions and understand they can modify your mailbox.
- Credentials & files: The Python code performs OAuth and writes encrypted token files (token.json, token.key) to disk. Confirm where these files will be stored and whether you accept that location and file permissions. Ensure you use a dedicated account or sandbox if you are unsure.
- Third-party install risk: The gog CLI is installed from steipete/tap via Homebrew — inspect that tap/formula source before installing to ensure it's trustworthy. The Python fallback uses packages including anthropic; the analyzer/responder require an ANTHROPIC_API_KEY if used.
- Automation & confirmations: Some CLI examples use --no-input and batch xargs pipelines. Even though many scripts demand explicit confirmations, examples show how to run destructive batch ops non-interactively. If you enable scheduling, double-check cron/heartbeat entries and keep audit logs enabled.
Recommended next actions:
- Request corrected registry metadata and a clear manifest of required env vars (GOG_ACCOUNT, GMAIL_CREDENTIALS_PATH, GMAIL_TOKEN_PATH/GMAIL_KEY_PATH, ANTHROPIC_API_KEY, IMAP_USER/IMAP_PASSWORD if used).
- Inspect the Homebrew formula source (steipete/tap/gogcli) before installing.
- If possible, test on a throwaway Gmail account first and avoid enabling scheduler/cron until you validate behavior.
- If you only need read/search, prefer using the gog CLI backend interactively and avoid installing or running the Python fallback and scheduler components.
- If you are not comfortable with the above inconsistencies or with granting send/modify/scheduling capabilities, do not install.
If you want, I can: (a) list exactly which env vars and files the code reads/writes, (b) show the Homebrew formula URL to inspect, or (c) produce a minimal 'read-only' variant by removing scheduling/responder/organizer scripts.Like a lobster shell, security has layers — review code before you run it.
latestvk97398zatmny1r0cfwa1xjfh4581wvt6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📬 Clawdis
Binsgog
Env[object Object], [object Object]
Install
Install gog CLI (brew)
Bins: gog
brew install steipete/tap/gogcli