Clawemail
ReviewAudited by ClawScan on May 10, 2026.
Overview
Clawemail is a coherent Google Workspace integration, but it uses powerful OAuth credentials that can read/send email and manage Google files.
Install only if you trust ClawEmail.com and are comfortable granting Google Workspace access. Protect the credentials and token cache, verify OAuth scopes, and manually review email sends, uploads, edits, and other write actions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything that can access these credentials or the cached token may be able to act on the connected Google account while the token is valid.
The helper reads OAuth refresh-token material and writes a bearer access token to a local cache. This is expected for the skill, but it is high-impact account authority.
REFRESH_TOKEN=$(python3 -c "...['refresh_token']..."); ... echo -n "$ACCESS_TOKEN" > "$CACHE_FILE"
Use a dedicated or least-privilege Google/ClawEmail account where possible, verify OAuth scopes, and keep ~/.config/clawemail and ~/.cache/clawemail private.
If used incorrectly, the agent could send the wrong email or make unintended changes to Google Workspace data.
The skill documents direct Google API mutation commands, including sending email. This matches the stated purpose but can create real external account activity.
curl -s -X POST ... "https://gmail.googleapis.com/gmail/v1/users/me/messages/send"
Review recipients, message bodies, file paths, and other mutation details before allowing the agent to run write actions.
Users have less registry-provided information to verify who maintains the skill and service.
The skill’s provenance metadata is incomplete. That is worth noting because the skill relies on an external credential/service flow.
Source: unknown; Homepage: none
Confirm that ClawEmail.com and this skill publisher are trusted before authorizing Google Workspace access.