Skillv1.0.0

ClawScan security

gmailcleanerfall · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 10:41 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The package mixes a simple 'email reader' description with a full email-manager suite (read, modify, send, schedule) and has mismatched metadata and undeclared environment/credential use — it may do more than its top-level description implies.
Guidance: What to consider before installing: - Metadata mismatch: The registry metadata for required env vars appears malformed; ask the publisher for corrected/complete required env variable names and a clear list of permissions the skill needs. - Broad capabilities: Although the top-level description says 'read/search Gmail', the package contains organizer/responder/scheduler scripts that can move/delete messages, create/send drafts, and schedule cron/heartbeat jobs. Only install if you accept those actions and understand they can modify your mailbox. - Credentials & files: The Python code performs OAuth and writes encrypted token files (token.json, token.key) to disk. Confirm where these files will be stored and whether you accept that location and file permissions. Ensure you use a dedicated account or sandbox if you are unsure. - Third-party install risk: The gog CLI is installed from steipete/tap via Homebrew — inspect that tap/formula source before installing to ensure it's trustworthy. The Python fallback uses packages including anthropic; the analyzer/responder require an ANTHROPIC_API_KEY if used. - Automation & confirmations: Some CLI examples use --no-input and batch xargs pipelines. Even though many scripts demand explicit confirmations, examples show how to run destructive batch ops non-interactively. If you enable scheduling, double-check cron/heartbeat entries and keep audit logs enabled. Recommended next actions: - Request corrected registry metadata and a clear manifest of required env vars (GOG_ACCOUNT, GMAIL_CREDENTIALS_PATH, GMAIL_TOKEN_PATH/GMAIL_KEY_PATH, ANTHROPIC_API_KEY, IMAP_USER/IMAP_PASSWORD if used). - Inspect the Homebrew formula source (steipete/tap/gogcli) before installing. - If possible, test on a throwaway Gmail account first and avoid enabling scheduler/cron until you validate behavior. - If you only need read/search, prefer using the gog CLI backend interactively and avoid installing or running the Python fallback and scheduler components. - If you are not comfortable with the above inconsistencies or with granting send/modify/scheduling capabilities, do not install. If you want, I can: (a) list exactly which env vars and files the code reads/writes, (b) show the Homebrew formula URL to inspect, or (c) produce a minimal 'read-only' variant by removing scheduling/responder/organizer scripts.
Findings: [ignore-previous-instructions] expected: The analyzer SKILL.md explicitly lists prompt-injection patterns (e.g., 'Ignore previous instructions') as items to detect; the pre-scan flagged that phrase. This is likely the skill documenting prompt-injection indicators rather than containing a malicious embedded instruction, but the scanner's finding is worth noting.

Review Dimensions

Purpose & Capability: concernThe registry name/description and the top SKILL.md describe an email reader, but the bundle includes organizer, responder, scheduler, analyzer, reporter, and their Python scripts that perform destructive actions (trash/delete), create/send drafts, manage labels, and modify cron/heartbeat. Having those management/send/scheduling features is disproportionate if the published skill is intended only for reading/searching.
Instruction Scope: concernRuntime instructions tell the agent to run gog commands and Python scripts which is expected, but other SKILL.md files instruct editing ~/.openclaw/openclaw.json, adding cron/heartbeat entries, and running batch operations (jq|xargs) with --no-input. Those steps extend scope from 'read' to persistent automation and mailbox modifications; some example flows include irreversible deletes and automated scheduled actions.
Install Mechanism: noteInstall uses a third-party Homebrew tap (steipete/tap/gogcli) to install 'gog' — not a built-in core formula. Python fallback instructions advise pip installing multiple packages (google-api-python-client, cryptography, anthropic, etc.). No arbitrary downloads/extract-from-unknown-URL were found, but the third-party brew tap raises moderate trust risk and should be inspected before installing.
Credentials: concernRegistry metadata shows malformed env entries ("[object Object]") while SKILL.md and code reference multiple environment variables: GOG_ACCOUNT, GMAIL_CREDENTIALS_PATH, (and in code) GMAIL_TOKEN_PATH, GMAIL_KEY_PATH, ANTHROPIC_API_KEY, IMAP_USER/IMAP_PASSWORD, and others. Scripts require OAuth credentials and an encryption key file (token.key) and may create token files on disk. The declared env vars do not fully account for what the code actually uses, which is disproportionate and risky.
Persistence & Privilege: concernThe skill is not always:true, but includes instructions and scripts to add cron/heartbeat entries and run continuous schedulers; combined with send/modify/delete capabilities this gives a path to persistent automated mailbox operations if the user enables scheduling. The code logs actions to an audit file under the workspace, but the presence of scheduling and send/delete capabilities increases the potential blast radius.