Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Email News Digest
v1.0.0Summarize recent emails, generate a thematic image, and send a formatted HTML email report with the summary and image. Use for daily news digests, project updates, or any email-based reporting that needs visual enhancement and rich formatting.
⭐ 0· 1.4k·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to fetch emails and send HTML messages with an attached generated image. Those capabilities normally require access to a Gmail account (OAuth tokens or SMTP credentials) and an image-generation API/key. Yet the skill declares no required environment variables, no primary credential, and no config paths. That discrepancy suggests either the skill expects external tooling (e.g., a preconfigured 'gog' CLI or another skill) to supply credentials or the metadata is incomplete.
Instruction Scope
SKILL.md instructs running scripts that will 'fetch the most recent email matching your query', assemble HTML, call another skill ('nano-banana-pro') to generate an image, and call 'gog gmail send' to dispatch mail. Those runtime actions may read local files, access credential stores, or make network calls. The README does not document what local configuration is required, where credentials are read from, or any safeguards around recipient lists or sensitive content. Because actual scripts are present (not just prose), you must inspect them before running.
Install Mechanism
No install spec is present (instruction-only plus two scripts). That minimizes automatic installation risk—nothing will be downloaded or installed automatically by the skill registry. However, the included scripts will run when invoked, so risk remains at execution time rather than installation time.
Credentials
The skill requests no env vars but clearly needs access to email-sending and email-reading capabilities as well as an image-generation skill. Absence of declared credentials (OAuth tokens, SMTP credentials, API keys) is a red flag: either the metadata is incomplete or the scripts rely on other preconfigured CLI tools/config files to obtain credentials. That increases the chance of unexpected credential usage or misconfiguration.
Persistence & Privilege
The skill does not set always:true and does not declare model invocation privileges. It therefore does not request permanent or always-on presence via the registry metadata. Risk is limited to when a user explicitly runs the provided script.
What to consider before installing
Before installing or running this skill: (1) Inspect the two scripts (scripts/process_and_send.sh and scripts/summarize_content.py) line-by-line to see exactly what commands are executed, what files or env vars are read, and what network endpoints are contacted. (2) Confirm how you will provide Gmail access and image-generation credentials—do not run the script until you understand where OAuth tokens or API keys must live and whether they will be transmitted anywhere. (3) Verify the 'gog' CLI and 'nano-banana-pro' skill are trusted and configured in a minimal-privilege way. (4) Run the script in a safe environment (isolated container or throwaway account) with test recipients to confirm behavior. (5) Look for any hardcoded endpoints, unusual curl/wget commands, or any steps that read ~/ (home) or environment variables like *TOKEN/KEY/PASSWORD; if present, treat as high risk. If you want, provide the contents of scripts/process_and_send.sh and scripts/summarize_content.py and I can analyze them line-by-line and update this assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk974vekyq50bfhwmevtn2a1xr180ncy7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.