v1.0.0

Gmail No Send

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:13 AM.

Analysis

The code appears to omit Gmail sending, but it still stores a powerful Gmail OAuth token and can modify mail/drafts, so its “read-only/no-send” framing and account handling need careful review.

GuidanceInstall only if you are comfortable granting Gmail read/compose/modify OAuth access. Treat it as a no-send Gmail drafting and mailbox-modification tool, not a read-only tool; protect the token and audit log, verify the installed code/version, and require manual approval before any draft or archive action.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

description: Read-only Gmail CLI that cannot send email by design. Search, read, create drafts, update drafts, and archive messages

The same description labels the tool read-only while listing draft creation, draft updates, and archive actions, which are Gmail state changes.

User impactA user may install it expecting read-only email access while the agent can still change drafts and move messages out of the inbox.

RecommendationDescribe it as a no-send Gmail modifier/drafting tool, not read-only, and clearly separate read-only commands from mutating commands.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/gmail_no_send/client.py

def archive(self, message_id: str) -> Dict[str, Any]: ... body = {"removeLabelIds": ["INBOX"]} ... service.users().messages().modify(userId="me", id=message_id, body=body).execute()

The archive command directly modifies Gmail labels for a message; the artifacts do not show a confirmation or approval step around this high-impact action.

User impactAn agent using the skill could archive messages and change the user's inbox state once it has a message ID.

RecommendationRequire explicit user approval for archive and draft-update/create actions, and consider a dry-run mode or allowlist for mutating commands.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/pyproject.toml

dependencies = ["google-api-python-client", "google-auth-httplib2", "google-auth-oauthlib"]

The Python dependencies are not version-pinned, so future installs may resolve to different package versions.

User impactA later dependency change could alter behavior or introduce vulnerabilities without the skill artifacts changing.

RecommendationInstall from a reviewed tag or commit and use pinned dependency versions or a lockfile.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

scripts/gmail_no_send/auth.py

SCOPES = ["https://www.googleapis.com/auth/gmail.readonly", "https://www.googleapis.com/auth/gmail.compose", "https://www.googleapis.com/auth/gmail.modify", ...]; def load_credentials(): tp = token_path(); ... def save_credentials(creds: Credentials): ... token_path().write_text(creds.to_json())

The persisted OAuth token has Gmail read/compose/modify authority, and credential loading/saving uses a single token path rather than binding tokens to the --account value.

User impactThe token can affect the user's Gmail account beyond simple reading, and multiple account labels could accidentally use the same cached Google token.

RecommendationDeclare Gmail OAuth as a primary credential, store tokens per account, verify the authenticated Google email against the requested account name, and set restrictive token-file permissions.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

scripts/gmail_no_send/client.py

audit_log("search", {"account": self.account, "query": query, "max_results": max_results}); ... audit_log("draft.create", {"account": self.account, "to": to, "subject": subject})

The local audit log records Gmail search queries and draft recipient/subject metadata, which can be sensitive even though logging is disclosed.

User impactLocal logs may reveal who the user corresponded with or what they searched for in email.

RecommendationProtect the config directory, periodically review or rotate the audit log, and avoid putting highly sensitive content in search queries or subjects when possible.