Back to skill
Skillv1.4.0
ClawScan security
Agent Mail Guard — Email Sanitizer for AI Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 10:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, scripts, and runtime instructions are consistent with an email/calendar sanitization tool and do not request unrelated credentials or hidden network endpoints.
- Guidance
- This skill appears to be what it claims: a local email/calendar sanitizer implemented in pure Python. Before installing or running it, review and consider: 1) The shell wrappers invoke the gog CLI to access Gmail/Calendar — gog must be configured with your Google credentials and will fetch your messages; ensure you trust that CLI and its authentication. 2) Audit logs are written to the skill directory (audit-log-YYYY-MM.jsonl); if you prefer logs elsewhere or want stricter isolation, change the LOG_DIR or run the sanitizer in a confined environment. 3) The gog parsing is text-based and brittle: test on your mail output to ensure important fields parse correctly and no false negatives/positives affect workflows. 4) contacts.json controls sender classification; if absent, many senders will be 'unknown' (minimal summaries). 5) The detection regexes are extensive but can produce false positives or misses — run the included tests and sample messages with your data before integrating into an automated agent. If you want higher assurance, run the sanitizer as a separate process with limited filesystem access or review the code manually (sanitize_core.py contains all detection logic).
- Findings
[ignore-previous-instructions] expected: SKILL.md and the code purposely detect and flag prompt-injection patterns like 'ignore previous instructions' — the scanner found these phrases inside documentation and detection regexes, which is expected. [you-are-now] expected: The authors explicitly include 'you are now' / identity-override patterns in the INJECTION_PATTERNS; the pre-scan found that phrase in SKILL.md and sanitize_core, which is appropriate for this sanitizer.
Review Dimensions
- Purpose & Capability
- okName/description match the included files and required binaries. The scripts explicitly call the gog CLI for Gmail/Calendar access and use Python sanitizer modules; requiring python3 and optionally gog is coherent for this purpose.
- Instruction Scope
- okSKILL.md and the CLI scripts constrain actions to fetching email/calendar (via gog), parsing text, running local sanitizers, and outputting JSON. Instructions do not tell the agent to read unrelated system files or transmit data to external endpoints. The README and SKILL.md explicitly warn agents not to execute commands or follow links found in emails.
- Install Mechanism
- okNo install spec is declared (instruction-only), and all code is plain Python stdlib. Nothing is downloaded from external URLs or extracted to disk by an installer. The presence of code files implies the implementation is bundled rather than fetched at install time.
- Credentials
- okThe skill does not request environment variables or credentials from the registry metadata. It does rely on the gog CLI (which itself requires Google account auth) and allows accounts to be provided via EMAIL_ACCOUNTS/CAL_ACCOUNTS or accounts.conf — these are appropriate and proportional for fetching mail/calendar data. No unrelated secrets are requested.
- Persistence & Privilege
- notealways:false and model invocation allowed (platform default). The skill writes audit logs to its own directory (audit-log-YYYY-MM.jsonl), which is expected for an audit feature but means local files will be created and appended; consider where the skill runs and whether that directory is acceptable for logs.