Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gmail Assistant
v1.1.1Gmail API integration with smart AI features — read, send, search, and manage emails with Claude-powered summarization and drafting. Powered by evolink.ai
⭐ 0· 31·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (Gmail operations + optional EvoLink AI features) matches the instructions and included scripts. However the registry metadata claims no required config paths, binaries, or env vars while SKILL.md requires a Google OAuth credentials.json, stores tokens at ~/.gmail-skill/token.json, and lists required binaries (python3, curl) and an optional EVOLINK_API_KEY — the metadata omission is inconsistent and unexpected.
Instruction Scope
Run instructions are narrowly scoped to creating Google OAuth credentials, authorizing via the provided scripts, and (optionally) sending email content to api.evolink.ai for AI processing. The SKILL.md explicitly discloses third‑party transmission for AI commands. I could not fully verify the scripts' implementation from the provided truncated content — you should review scripts/gmail-auth.sh and scripts/gmail.sh to confirm there are no additional file reads or unexpected external endpoints.
Install Mechanism
There is no install spec (instruction-only at the platform level) and the repository includes only shell scripts and docs. That is lower risk than arbitrary binary downloads. No installer URLs, extract steps, or opaque third‑party packages were specified.
Credentials
The actual runtime needs (Google OAuth credentials file, token storage path, optional EVOLINK_API_KEY) are proportionate to the stated features. The concern is that the skill registry metadata did not declare these required config paths or env vars — mismatch could hide permission/consent expectations. No unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and stores tokens locally (SKILL.md claims chmod 600). Autonomous invocation is allowed by default but not by itself a red flag. No indications that the skill persists beyond its own files.
What to consider before installing
This skill appears to implement exactly what it advertises (Gmail access + optional AI via EvoLink) but the package metadata omits required config/binaries declared in SKILL.md — treat that as a warning sign and inspect before use. Before installing: 1) Open and review scripts/gmail-auth.sh and scripts/gmail.sh to confirm they only call Gmail APIs and api.evolink.ai and do not send data to other endpoints or read unrelated files. 2) Create a Google OAuth client with the minimum scopes (use a Desktop app client), and keep the credentials.json and token.json in the indicated directory with restrictive permissions. 3) If you use AI features, only set EVOLINK_API_KEY for a trusted EvoLink account and review their privacy policy; consider testing with non-sensitive emails first. 4) Run the scripts in a constrained environment (container or VM) if you cannot manually audit the code. 5) Because the registry/source are 'unknown' and there is no homepage, prefer to install only from a verified repository or contact the publisher for source verification and to resolve the metadata mismatch.Like a lobster shell, security has layers — review code before you run it.
latestvk971bs573f0f6g903bwpwm0g4h842kct
License
MIT-0
Free to use, modify, and redistribute. No attribution required.