Skillv1.0.0

ClawScan security

Mediator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 12:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches its stated purpose, but there are multiple implementation choices and defaults that don't add up or create privacy/exfiltration risks you should understand before installing.
Guidance: This package mostly does what it says (monitor local mail/iMessage, summarize via an LLM, and log results), but several red flags deserve attention before you run it: - Hard-coded defaults: The init template includes specific Gmail addresses. Remove or replace these immediately—don't leave someone else's addresses in your config. - External dependencies: The code calls an external script (~/clawd/scripts/gog-read.sh), the imsg CLI, and an 'llm' CLI. Inspect or replace those tools before use. The skill will only be as safe as those dependencies. - Data leakage to LLMs: summarize.py invokes an 'llm' CLI which will forward message content to whatever model/backend your local CLI is configured to use. If you care about confidentiality, verify the llm CLI configuration (where API keys point, provider privacy), or modify the code to use an on-device model or to avoid sending full messages. - Automatic installs: The scripts will pip-install PyYAML at runtime if missing. If you prefer controlled installs, install dependencies yourself first. - Auto-respond risks: The configuration supports an 'auto' respond mode but the code doesn't implement sending responses; enabling auto-response in any integrated system without reviewing behavior would be dangerous. Prefer 'draft' mode and manual review. - Inspect and sandbox: Before running, read the external gog-read.sh and any 'imsg' or 'llm' CLI you have installed. Run the skill in a limited/sandboxed environment or on a test account to confirm behavior. Consider removing or redacting any example accounts in the init template. If you want to proceed, verify the external CLIs and where the LLM sends data, remove the hard-coded accounts, and test with non-sensitive data first.

Review Dimensions

Purpose & Capability: noteThe code implements email and iMessage interception, summarization, and drafting as described. However, the default config written by init contains hard-coded Gmail accounts (dylan.turner22@gmail.com, dylan@doxy.me) and the email processor calls an external script at ~/clawd/scripts/gog-read.sh (not included). Those defaults are unexpected for a generic 'mediator' skill and suggest the package was authored for a specific person's environment.
Instruction Scope: concernInstructions and scripts access local email and iMessage histories, write config/state/log files in ~/.clawdbot, and call an LLM via a local 'llm' CLI. Summarize.py will send message content to whichever model/backend the 'llm' CLI is configured to use (potentially sending private messages to remote providers). The SKILL.md mentions Gmail Pub/Sub real-time flow, but implementation actually polls via an external gog-read.sh. The skill reads and archives messages (archive stub exists) — that behavior is within purpose but is sensitive and the code relies on external CLIs/scripts that may have broader access.
Install Mechanism: noteThere is no formal install spec, but the Python scripts auto-install PyYAML at runtime via pip if missing. That behavior runs network installs on first-run which may be surprising; otherwise nothing in the bundle downloads arbitrary remote code. The skill does rely on external CLIs (imsg, a local 'llm' CLI, and ~/clawd/scripts/gog-read.sh) which are not provided here.
Credentials: concernThe skill declares no required environment variables or credentials, yet it depends on local tooling and account access (Gmail via gog-read.sh, imsg CLI, and the 'llm' CLI which typically requires API keys/config). The hard-coded gmail_accounts in init is disproportionate and potentially leaks the maintainer's addresses into your config. Notify channels (telegram/slack) are referenced but no tokens or delivery mechanisms are implemented — missing wiring/credentials are inconsistent with the promised integrations.
Persistence & Privilege: okThe skill does not request 'always' privilege, does not modify other skills, and confines files to ~/.clawdbot (config, logs, state). It suggests adding a cron/heartbeat entry (normal for a polling tool). No automatic enabling of other skills or system-wide changes are present.