Ride Insights
v0.1.0Fetch and extract ride-sharing receipts from Gmail locally using OpenClaw to analyze ride patterns and create anonymized shareable reports.
⭐ 9· 280·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill is designed to fetch Gmail ride receipts and extract structured rides via a local OpenClaw Gateway. Requiring the gog CLI (for Gmail access) and python3 is consistent with the implementation. The declared env vars (OPENCLAW_GATEWAY_TOKEN, OPENCLAW_GATEWAY_URL, OPENCLAW_GATEWAY_MODEL) are directly used for the local Gateway calls.
Instruction Scope
Runtime instructions and code consistently: (1) call gog to list/fetch Gmail messages, (2) write raw fetched receipts to data/ride-insights/emails.json, (3) POST the raw email JSON (including HTML) to the local Gateway /v1/responses endpoint, and (4) store normalized output locally. The skill enforces that the Gateway host must be local (localhost/127.0.0.1/::1) and requires explicit user consent before extraction. Note: the code and SKILL.md reference a fallback config file (~/.openclaw/openclaw.json) for the gateway token; this file access is documented in the SKILL.md but is not listed in the registry's required config paths.
Install Mechanism
No install spec — instruction-only with bundled scripts. Nothing is downloaded from external URLs or installed automatically. Risk is limited to execution of included Python scripts and reliance on the already-installed gog CLI.
Credentials
Requested env vars (gateway token, URL, model) are appropriate for contacting a local OpenClaw Gateway. The skill also reads ~/.openclaw/openclaw.json as a documented legacy fallback for the token; that file can contain sensitive credentials and is not declared as a required config path in registry metadata (the SKILL.md does document the fallback). The skill does not request unrelated third-party credentials.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It writes local artifacts under data/ride-insights and creates/initializes a local SQLite DB — behavior that matches its purpose. Note that autonomous invocation is enabled by default on the platform; if you do not want the agent to fetch emails automatically, disable autonomous invocation at the agent level.
Assessment
This skill appears internally consistent, but it processes highly sensitive data (full receipt HTML and message metadata). Before installing or running it: (1) ensure you run a trusted local OpenClaw Gateway and set OPENCLAW_GATEWAY_URL to localhost/127.0.0.1/::1 only (the code refuses non-local hosts), (2) verify where your gateway token is stored — either in env OPENCLAW_GATEWAY_TOKEN or in ~/.openclaw/openclaw.json — and be comfortable with that file containing a token, (3) ensure your gog CLI is properly authenticated for the Gmail account you intend to use and review gog permissions, (4) confirm the skill with the user before extraction (SKILL.md requires explicit consent), (5) treat data/ride-insights/emails.json as sensitive and delete it when no longer needed, and (6) if you do not want the agent to autonomously access Gmail, disable or gate autonomous invocation at the agent level. Overall the skill's actions align with its description — the main risk is handling of sensitive emails, not covert exfiltration or unrelated credential access.Like a lobster shell, security has layers — review code before you run it.
latestvk97fn2xk9daxdbems79bvmppvs83z113
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsgog, python3
EnvOPENCLAW_GATEWAY_TOKEN, OPENCLAW_GATEWAY_URL, OPENCLAW_GATEWAY_MODEL