gmailcleanerfall
WarnAudited by ClawScan on May 10, 2026.
Overview
This is advertised as a Gmail reader, but the bundle also includes tools that can modify, delete, send, schedule, and externally analyze emails.
Treat this as a full Gmail automation pack, not just a Gmail reader. Install only if you are comfortable granting modify/compose Gmail access, possible Sheets/Docs access, and external AI analysis of email content. If you only want reading, remove or avoid the organizer/responder/scheduler/reporter pieces, use least-privilege read-only OAuth credentials, and review any cron or OpenClaw heartbeat settings before enabling them.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Emails may contain hostile instructions; the skill appears intended to detect them, but the agent should not treat email text as authoritative instructions.
This explains the static prompt-injection signal. In context it is a detection-signature list for suspicious email content, not an instruction for the agent to follow.
Patrones: "Ignore previous instructions", "You are now", "Act as", "Forget your training"
Keep email bodies clearly delimited as untrusted data during analysis and avoid executing instructions found inside messages.
A mistaken or overly broad query could change, trash, or permanently delete many messages.
The supplied bundle includes irreversible and bulk Gmail mutation commands, even though the evaluated root skill is described as a read/search email reader.
gog gmail delete <ID> # ⚠️ IRREVERSIBLE ... gog gmail search '<query>' --max 500 --json --no-input | jq -r '.[].id' | xargs -I{} gog gmail <acción> {} --no-inputSeparate read-only and mutating skills, require a dry-run/count preview, and enforce explicit user confirmation before every bulk or destructive Gmail action.
The credential could be used to alter mailbox state or compose/send mail, not only read messages.
The Python OAuth token can modify and compose Gmail messages, which exceeds the root skill's read-only/read-search framing.
SCOPES = ["https://www.googleapis.com/auth/gmail.readonly", "https://www.googleapis.com/auth/gmail.modify", "https://www.googleapis.com/auth/gmail.compose"]
Use a read-only OAuth scope for the reader and separate, clearly declared credentials for organizer/responder features.
Installation pulls third-party code into the local environment.
The skill depends on an external Homebrew tap and unpinned Python packages. This is expected for the integration, but provenance and version pinning are not shown.
brew install steipete/tap/gogcli ... pip install google-api-python-client google-auth-oauthlib beautifulsoup4 cryptography
Verify the gog CLI source, prefer pinned package versions, and install in an isolated environment where possible.
Private email contents may be transmitted to an external AI provider during analysis.
Email body excerpts and attachment names are packaged into prompts and sent to Anthropic. That external data flow is not clear from the root reader description.
"cuerpo":e.get("cuerpo","")[:1500] ... client.messages.create(model=MODEL,max_tokens=2000, messages=[{"role":"user","content":_prompt(batch)}])Require explicit opt-in for AI analysis, disclose the provider and data sent, support redaction/local-only modes, and declare ANTHROPIC_API_KEY as a sensitive credential.
Email checks, notifications, cleanups, or delayed sends could continue after setup if the user enables these schedules.
The package documents persistent heartbeat/cron/loop automation that can repeatedly inspect mail and trigger cleanup/follow-up behavior beyond a one-time reader request.
"heartbeat": {"every": "30m" ...} ... "spam-cleanup": {"schedule": "0 22 * * 0", "command": "email-organizer limpiar spam >7d"} ... python3 scripts/scheduler.py --interval 30Make scheduling opt-in, show the exact cron/heartbeat configuration, provide a clear uninstall/pause path, and avoid destructive recurring jobs by default.