Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Email Automation
v1.0.2Automate email triage, categorize, draft replies, and auto-archive in Gmail, Outlook, or IMAP to maintain an organized, efficient inbox.
⭐ 0· 652·10 current·10 all-time
by@fly3094
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description and SKILL.md present a full integration with Gmail, Outlook, and IMAP and walk users through obtaining OAuth credentials and access tokens. The SKILL.md metadata also lists binaries like curl. However the included script (scripts/email_processor.py) does not implement any real network, IMAP, Gmail API, or Microsoft Graph access: it uses a simulate_fetch_emails() stub and only reads a small set of environment variables (EMAIL_PROVIDER, EMAIL_ADDRESS, AUTO_ARCHIVE, CATEGORIES, and optional EMAIL_AUTOMATION_DATA_DIR). Requesting OAuth credentials and access tokens in the docs is disproportionate to what the shipped code actually does.
Instruction Scope
The SKILL.md instructs users to create and set GMAIL_CREDENTIALS_FILE, OUTLOOK_ACCESS_TOKEN, and IMAP_PASSWORD and shows commands for setup. Those instructions could encourage users to place sensitive credentials in environment variables or files even though the runtime script never reads them. The instructions also reference external consoles (GCP/Azure) and suggest storing credential files — an action that should only be done if the code actually uses them. There are no directives to exfiltrate data, but the guidance to supply credentials is broader than justified by the code.
Install Mechanism
There is no install spec (instruction-only skill with a small Python script). Nothing is downloaded from third-party URLs and no archives are extracted. This is lower-risk from an installation perspective.
Credentials
SKILL.md advertises many sensitive environment variables (GMAIL_CREDENTIALS_FILE, OUTLOOK_ACCESS_TOKEN, IMAP_PASSWORD, etc.). The Python script only uses EMAIL_ADDRESS, EMAIL_PROVIDER, AUTO_ARCHIVE, CATEGORIES and an optional EMAIL_AUTOMATION_DATA_DIR; it does not read GMAIL_CREDENTIALS_FILE, OUTLOOK_ACCESS_TOKEN, IMAP_USERNAME, IMAP_PASSWORD, or other credential env vars. Asking for broad credentials without the code needing them is disproportionate and could lead users to expose secrets unnecessarily.
Persistence & Privilege
The skill does not request elevated platform privileges nor set always:true. The script writes a small history file into a data directory (default .email-automation or path from EMAIL_AUTOMATION_DATA_DIR), which is reasonable for local state. It does not modify other skills or system-wide configs.
What to consider before installing
This package looks like a demo: the documentation tells you to create OAuth tokens and set sensitive environment variables, but the bundled Python script only simulates fetching emails and never uses those credentials. Do not provide real Gmail/Outlook/IMAP passwords, access tokens, or credential files to this skill yet. If you want to use a real integration, ask the author to: (1) provide clear code paths that perform Gmail/IMAP/Microsoft Graph access and show how credentials are used, (2) publish the network endpoints and libraries used, and (3) explain how tokens are stored and protected. If you must test, run it in an isolated environment, inspect/grep the code for network calls (requests, imaplib, exchangelib, curl usage) and only supply app-specific or limited-scope tokens. Prefer vetted/email-specific integrations from trusted sources for handling real inboxes.Like a lobster shell, security has layers — review code before you run it.
aivk974pa9m3ds3zhk1pv8xdqs8a182fbmzautomationvk974pa9m3ds3zhk1pv8xdqs8a182fbmzemailvk974pa9m3ds3zhk1pv8xdqs8a182fbmzgmailvk974pa9m3ds3zhk1pv8xdqs8a182fbmzinboxvk974pa9m3ds3zhk1pv8xdqs8a182fbmzlatestvk974ag0q6f7byqyp00r8ke1j198319proutlookvk974pa9m3ds3zhk1pv8xdqs8a182fbmzproductivityvk974pa9m3ds3zhk1pv8xdqs8a182fbmz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.