ClawHub

CDP Gmail Delivery

v1.0.8

Send Gmail messages from an operator-controlled Chrome debug session using Gmail CDP automation. Use when the user asks to send email from the local machine,...

0· 79·0 current·0 all-time
by@joustonhuang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and docs: the skill connects to a local Chrome DevTools endpoint and uses puppeteer-core to open Gmail and send messages. Required binaries (node, npm) and the npm dependency are appropriate for this task.
Instruction Scope
SKILL.md and scripts confine actions to local resources (files, local CDP endpoint, and the user's visible Chrome session). One point to note: the workflow refers to running an external restart script (scripts/restart_debug_chrome.sh) that is not bundled here — that script lives in the workspace and could perform arbitrary actions if present, so operators should review it before running.
Install Mechanism
There is no registry install spec, but a bundled install_runtime.sh performs npm install puppeteer-core@24 into a local .runtime directory. This is a common, expected mechanism but does pull code from the public npm registry at install time (network activity).
Credentials
The skill requests no credentials or environment secrets. It legitimately needs access to local files (attachments) and the local Chrome CDP endpoint; the preflight checks and blocked-extension lists match the stated purpose.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It does not modify other skills or global agent settings.
Assessment
This skill automates whichever Gmail account is currently logged into the local Chrome debug session and will send messages using that account, so: 1) review and, if necessary, run the included install_runtime.sh in a controlled environment (it will download puppeteer-core from npm); 2) inspect any external restart_debug_chrome.sh in your workspace before running it (the skill expects such a script but does not include it); 3) confirm the visible Chrome session is the intended Gmail account before sending; 4) only pass files you trust and heed the preflight blocked-file checks; and 5) if you need stronger assurance, run the installer and send operations on an isolated machine or VM and verify the scripts' contents first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cb851xxgk91kt5fwdg2cst584yzrm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm

Comments