Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gmail Enhanced
v1.0.0Enhanced Gmail integration with advanced features including label management, attachment handling, advanced search, email parsing, and automated email proces...
⭐ 0· 59·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name and description (Gmail features like search, labels, attachments, parsing, automation) align with the code and SKILL.md. The code uses the Gmail API and expects OAuth credentials and tokens, which is appropriate for this purpose.
Instruction Scope
SKILL.md and the code direct the agent to use OAuth credentials, run the local OAuth flow, read credentials.json and tokens.json, download and upload attachments (arbitrary local paths), and save tokens to disk. Those actions are expected for a Gmail client, but they do involve reading/writing local files and handling arbitrary attachments — so users should be aware it needs filesystem access and will store a refresh token locally.
Install Mechanism
There is no install spec despite a non-trivial Python module being included. The code imports google-auth, google_auth_oauthlib, and googleapiclient, but the registry metadata doesn't declare these dependencies or provide installation instructions. Missing dependency/install info is a deployment/operational risk and reduces auditability.
Credentials
Registry metadata lists no required env vars or primary credential, but both SKILL.md and the code expect GMAIL_CREDENTIALS_PATH and GMAIL_TOKEN_PATH (or default files). That mismatch is an incoherence: the skill will require OAuth credential files and will write a token file, yet the package metadata doesn't declare this. The skill will also access arbitrary local files when handling attachments (expected for functionality) — make sure you trust any code that can read local paths you pass to it.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It will create/write its own token file (normal for OAuth clients) but does not appear to modify other skills or global agent settings.
What to consider before installing
This skill implements an OAuth-based Gmail client and will prompt for OAuth credentials, run a local OAuth flow, read your credentials.json and tokens.json (or the paths you set), and write a tokens file (containing refresh tokens) to disk. Before installing: 1) Only proceed if you trust the publisher, because the code will be able to read/write local files and access your Gmail via granted scopes. 2) Be aware the registry metadata does not declare the required env vars or Python dependencies (google-auth, google-auth-oauthlib, google-api-python-client); you will need to install them manually. 3) Review where tokens will be saved (GMAIL_TOKEN_PATH) and whether that location is acceptable. 4) When using attachment features, avoid pointing the skill at sensitive local files and consider scanning attachments before opening. 5) If you want higher assurance, request the publisher add an install spec, declare required env vars, and provide a dependency list and a short security/privacy note describing token storage and telemetry (if any).Like a lobster shell, security has layers — review code before you run it.
latestvk9789y5bdssk04xt90hw6sbf2n83d2g7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.