Email News Digest
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its email-digest purpose, but its documentation includes real recipient addresses and it runs an undeclared external image-generation script from a hard-coded personal path.
Do not copy the sample recipients as-is. Before installing or running, inspect the external nano-banana-pro dependency, make sure gog is connected to the correct Gmail account, use a narrow email query, and verify every recipient before sending.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user copies the example command, a digest may be sent to unintended external recipients.
The primary usage example uses concrete Gmail addresses rather than placeholders for a workflow that sends an email digest derived from the user's Gmail.
--recipients "matthewxfz@gmail.com,salonigoel.ssc@gmail.com"
Replace the example with placeholder addresses and only run the script with recipients you explicitly choose and review.
The skill may fail on most systems or may execute whatever code exists at that local path without that code being part of this review.
The script executes a Python file from another skill at a hard-coded personal absolute path outside the reviewed package, and that dependency is not declared in the requirements.
NANO_BANANA_PRO_SCRIPT="/home/matthew/.openclaw/lib/node_modules/openclaw/skills/nano-banana-pro/scripts/generate_image.py" ... uv run "${NANO_BANANA_PRO_SCRIPT}"Declare and pin the image-generation dependency, avoid hard-coded personal paths, and review the external script before running this skill.
The skill can access matching Gmail content and send mail from the locally authenticated Gmail account.
The script uses an authenticated Gmail CLI to read a matching raw email and send an email from the user's account, which is expected for the purpose but high-impact.
gog gmail search "$EMAIL_QUERY" --max 1 --json ... gog gmail get "$EMAIL_ID" --format raw --json ... gog gmail send
Confirm gog is authenticated to the intended Gmail account, use narrow email queries, and review recipients before sending.
Sensitive email content may briefly exist on disk during processing.
Decoded raw email is written to a local memory directory for processing and then removed on exit.
EMAIL_DIGEST_DIR="memory/$(date +%Y-%m-%d)-email-digests" ... echo "$EMAIL_BODY_DECODED" > "${TEMP_EMAIL_FILE}" ... trap 'rm -f "${TEMP_EMAIL_FILE}" "${TEMP_HTML_FILE}"' EXITRun the skill only in a trusted workspace and avoid using broad queries over highly sensitive mail.