Back to skill
Skillv1.0.12
ClawScan security
Gws Gmail Triage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 31, 2026, 6:34 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior (running the gws CLI to read your Gmail) is plausible, but it omits and defers authentication details to an external shared file — you should inspect that shared file and the gws binary before installing.
- Guidance
- This skill delegates authentication and global flags to '../gws-shared/SKILL.md' but does not include or declare those credentials here. Before installing, inspect the referenced gws-shared SKILL.md and confirm what auth it requires (OAuth tokens, local config files, or environment variables). Verify the provenance and trustworthiness of the 'gws' CLI on your system (where it came from, its documentation, and whether the triage command is truly read-only). If you can't review gws-shared or the gws binary, treat the skill as untrusted because it may cause the agent to read or use Gmail credentials not declared in this skill. To reduce risk, run gws commands manually first, or run the agent in an isolated environment with limited access to your actual Gmail credentials.
- Findings
[no_regex_findings] expected: There are no code files; the regex scanner had nothing to analyze. That is expected for an instruction-only skill, but it removes an important signal about what the runtime will do.
Review Dimensions
- Purpose & Capability
- noteThe name/description (show unread inbox summary) aligns with requiring the 'gws' CLI. Requiring the gws binary is proportionate for a CLI-based Gmail helper.
- Instruction Scope
- concernThe SKILL.md explicitly instructs the agent to 'Read ../gws-shared/SKILL.md for auth, global flags, and security rules.' That means runtime behavior depends on another file outside this skill; that file may contain auth instructions or reference credentials/config paths. The instructions themselves are otherwise minimal and read-only, but the external dependency creates an opaque surface.
- Install Mechanism
- okInstruction-only skill with no install step — nothing is written to disk by the skill itself. This lowers install-time risk.
- Credentials
- concernThe skill declares no required env vars or config paths, yet points to a shared SKILL.md for auth. That suggests credential access is expected but not declared here. The gws CLI likely uses local config or OAuth tokens; those credentials are not described, so it's unclear what secrets the agent will need or access.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent or elevated platform presence.