Skillv1.0.12

ClawScan security

Gws Gmail Watch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 31, 2026, 6:34 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (watch Gmail and stream messages) matches the instructions, but it hides important auth/credential and dependency details in an external shared SKILL.md and does not declare the Google/GCP credentials or config access it implicitly needs.
Guidance: This skill appears to just wrap a 'gws' CLI command to watch Gmail, but it hides its authentication steps in a referenced ../gws-shared/SKILL.md that is not included. Before installing or running it: 1) inspect the referenced gws-shared SKILL.md to see exactly how auth is performed and where credentials/config are stored; 2) verify the provenance and integrity of the 'gws' binary (where it comes from and what permissions it requires); 3) confirm what Google/GCP credentials or service account scopes are needed (Gmail API, Pub/Sub publisher/subscriber) and grant only least privilege; 4) be cautious about Pub/Sub resources left behind — prefer using --cleanup or a disposable project/account for testing; 5) if you cannot review the shared auth file or trust the gws binary source, do not install or run this skill.

Review Dimensions

Purpose & Capability: noteThe skill is instruction-only and simply invokes the 'gws' CLI to watch Gmail and stream NDJSON, which aligns with the name/description. Requiring the 'gws' binary is expected for this purpose.
Instruction Scope: concernSKILL.md explicitly directs the agent to read ../gws-shared/SKILL.md for auth, global flags, and security rules. That external file likely contains authentication steps and possibly references to credentials or config paths — a hidden dependency not included here. The instructions also create/use GCP Pub/Sub resources (topic/subscription) which imply access to GCP IAM and Gmail push configuration even though those details are not surfaced.
Install Mechanism: okThere is no install spec and no code files — lowest-risk delivery model. The only runtime requirement is that a 'gws' binary exists on PATH; the skill does not itself download or execute additional artifacts.
Credentials: concernThe skill operates on Gmail and GCP Pub/Sub but declares no required environment variables or primary credential. Because it references another SKILL.md for auth, required credentials (Google OAuth tokens, service account keys, GCP project credentials) are hidden rather than declared, which is disproportionate and opaque.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent presence or elevated platform privileges. It does have options to create persistent GCP Pub/Sub resources, but that behavior is controlled by flags (e.g., --cleanup) and is within the user's control.