Skillv1.0.12

ClawScan security

Gws Workflow Email To Task · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 31, 2026, 6:35 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only wrapper around an existing 'gws' CLI to convert a Gmail message into a Google Tasks item and is internally coherent, but it relies on an external shared SKILL.md for auth and global flags which you should review before installing.
Guidance: This skill is a lightweight wrapper that calls the 'gws' CLI to convert an email into a task. Before installing or using it: (1) Inspect ../gws-shared/SKILL.md (or the artifacts produced by `gws generate-skills`) to see how authentication is performed, what tokens/credentials are required, and where they are stored; (2) Ensure the 'gws' binary is from a trusted source and understand its auth scopes (it may request access to Gmail and Tasks via OAuth); (3) Confirm you are comfortable with the CLI creating tasks on your behalf and that the skill will prompt for confirmation as the Tips suggest; (4) If you don't have access to the referenced gws-shared SKILL.md, treat the missing dependency as a risk — do not grant credentials until you inspect how they are used.

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md calls the gws CLI's workflow +email-to-task command and only requires the gws binary, which is appropriate for this purpose.
Instruction Scope: noteThe file delegates authentication, global flags, and security rules to ../gws-shared/SKILL.md (or the output of `gws generate-skills`). That external artifact likely contains the actual auth instructions and potentially access to credentials; it's not present here, so you must inspect it to understand what data will be accessed or stored.
Install Mechanism: okInstruction-only skill with no install spec or code files — it does not write files or download code itself. The only runtime requirement is the presence of the 'gws' binary.
Credentials: noteThis skill declares no required env vars, but its declared prerequisite (gws-shared SKILL.md) is likely where auth is configured. That external config may require OAuth tokens or other credentials; confirm what credentials gws/gws-shared asks for and where they are stored.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent installation. It appears to operate only by invoking the gws CLI and therefore does not request elevated platform privileges in itself.