Gmail No Send
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The tool does not show code that sends email, but it still gets broad Gmail permissions and its account/token handling needs review before use.
Before installing, understand that this is a no-send Gmail client, not a purely read-only one. Use a reviewed or pinned version, protect ~/.config/gmail-no-send/token.json, verify which Google account is authenticated, and require approval before letting an agent create/update drafts or archive messages.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may think it is operating on one Gmail account while the CLI actually uses whichever token is cached locally.
Credentials are loaded from a shared token path without using the --account value. Because the CLI can read mail, create/update drafts, and archive messages, a cached token can be used under a different account label than the user expects.
def load_credentials() -> Optional[Credentials]:
tp = token_path()
if tp.exists():
return Credentials.from_authorized_user_file(str(tp), SCOPES)Store tokens per account, verify the authenticated Google email against the requested account, and make the active account visible before mutating drafts or archiving mail.
The included CLI does not expose a send command, but a stolen or reused token could potentially be used by other code to send or modify Gmail data.
The no-send guarantee is enforced by this application, but the OAuth token itself has broader Gmail API authority if reused outside the CLI.
If an attacker obtains `~/.config/gmail-no-send/token.json`, they can use it with the Gmail API directly (the token has `compose` scope).
Protect the token file, use a dedicated Google OAuth client, revoke the token when no longer needed, and consider enforcing file permissions such as chmod 600.
An agent using this skill can change Gmail state by creating drafts or moving messages out of the inbox, even though it cannot send email through the provided CLI.
The tool can create drafts and archive messages by modifying Gmail labels. These actions are disclosed and purpose-aligned, but they are account-changing operations.
return service.users().drafts().create(userId="me", body=draft_body).execute()
...
body = {"removeLabelIds": ["INBOX"]}
return service.users().messages().modify(userId="me", id=message_id, body=body).execute()Require human review for archive and draft-update actions, especially on work or shared mailboxes.
A user may install it expecting only passive email reading, while the tool can still create/update drafts and archive messages.
The 'read-only' wording conflicts with the listed draft and archive capabilities. Later sections clarify the no-send model, but the headline wording could cause users to underestimate mailbox mutations.
description: Read-only Gmail CLI that cannot send email by design. Search, read, create drafts, update drafts, and archive messages
Describe the tool as 'no-send' rather than 'read-only,' and clearly separate read-only commands from mailbox-changing commands.
Installing directly from the moving repository could expose Gmail credentials to unreviewed future code changes.
The optional GitHub install is not pinned to a tag or commit, so it may install code different from the reviewed artifacts.
pip install git+https://github.com/meimakes/gmail-no-send.git
Install from the reviewed local files or pin the GitHub install to a specific commit/tag and verify dependencies.