gmail-labeler
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This Gmail triage skill is mostly purpose-aligned, but it needs careful review because it can use Gmail/keyring credentials, send email snippets to an LLM, and archive or label messages, while some credential requirements are under-declared.
Before installing, confirm you are comfortable granting this skill access to your Gmail and allowing it to change labels or archive messages. Start with dry-run mode, verify the exact Gog/Doppler credentials and Gmail account it will use, decide whether LLM review is acceptable for private email content, and protect or shorten the local log retention.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with real credentials, the skill can authenticate to Gmail and potentially modify the inbox; users may not realize Doppler/Gog keyring access is required.
The launcher retrieves a secret used for non-interactive Gmail access through Gog/keyring. This is high-impact account credential handling, and it is not reflected in the supplied metadata's credential or environment-variable declarations.
export GOG_KEYRING_PASSWORD="$(doppler secrets get GOG_KEYRING_PASSWORD --project openclaw --config prd --plain)"
Declare the Gog/Doppler/keyring credential requirements, avoid hard-coded Doppler project/config names, make account selection explicit, and keep dry-run as the default until the user confirms the exact Gmail account and permissions.
A wrong rule or model decision could archive or relabel important emails, making them easier to miss.
Changing Gmail labels and removing messages from Inbox is central to the skill's purpose, but it is still a high-impact action if filters misclassify important mail.
Applies Gmail labels and archives non-actionable mail
Run in dry-run mode first, review JSONL logs, keep the search scope and max message count limited, configure VIP/never-archive lists, and move to label-only or full-action mode only after validation.
Private email snippets could leave the local machine for model review if LLM review is enabled and configured.
The default configuration enables an LLM review path for ambiguous emails and allows up to 1800 body characters, meaning email content may be sent to an external model/provider depending on the AIN configuration.
"llmReview": { "enabled": true, "provider": "", "model": "alibaba/MiniMax-M2.5", ... "maxBodyChars": 1800 }Verify the exact LLM provider and data handling terms, disable llmReview for sensitive inboxes, reduce or redact body content where possible, and document provider credentials and routing.
Email subjects, senders, account identifiers, and routing decisions may persist locally for up to the retention period and affect future rules.
The skill intentionally keeps persistent decision logs and may use prior decisions to tune future behavior. This is useful for auditability, but the logs contain sensitive email metadata and can influence later classifications.
Every classification decision should be logged as JSONL with: ... account ... messageId ... sender ... subject ... The self-improvement routine should update: local overlay custom filters
Store logs with restrictive file permissions, keep the 30-day retention limit or shorter, avoid logging bodies or secrets, and review any self-improvement changes before applying them.
The installed CLI becomes part of the email-processing path, so its package integrity and updates matter.
The skill installs an external npm package for the LLM review layer. This appears purpose-aligned, but the provided install spec does not pin a version or provide provenance details.
node | package: @felipematos/ain-cli | creates binaries: ain
Pin the package version, document the package source and trust assumptions, and ensure users can run without the LLM CLI if they do not need model review.