Signal Pipeline
PassAudited by ClawScan on May 10, 2026.
Overview
The skill matches its marketing-signal purpose, but it can use Gmail access, external web requests, local CLI execution, and persistent local databases that users should review before running.
Before installing, use a virtual environment, verify the external `gog` Gmail CLI, and configure Gmail access only for accounts and scopes you are comfortable searching. Expect requests to RSS, X/FxTwitter, Telegram, Sogou/WeChat, and Gmail-related services. Review the full local scripts and generated drafts before posting, and delete the created SQLite or memory files if you do not want signal data retained.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If `gog` is configured, the skill can search recent Gmail messages matching its newsletter queries and process sender, subject, and date metadata.
The script queries Gmail through a locally configured `gog` CLI session. This fits the newsletter-monitoring purpose, but Gmail account access is sensitive and should be explicitly understood by the user.
f"gog gmail search '{query} newer_than:30d' --max 5 --json"Use a dedicated or least-privileged Gmail configuration if possible, review `gog` OAuth scopes, and revoke access when no longer needed.
A poorly edited or copied newsletter query could be interpreted by the local shell rather than treated purely as a Gmail search.
The Gmail helper is invoked through a shell command. Current queries are fixed in the script, but `shell=True` increases risk if future user-edited search strings contain shell metacharacters.
subprocess.run(..., shell=True, capture_output=True, text=True, timeout=30)
Prefer `subprocess.run([...], shell=False)` and validate or escape any user-edited Gmail search strings.
Future reports or generated posts may be influenced by old or untrusted source content kept in local databases.
The skill intentionally persists retrieved external content for later summaries and drafts. That is useful for the pipeline, but stored public or newsletter content can be stale, inaccurate, or prompt-injection-like if later fed to an agent.
aggregates signals from multiple sources, stores them in SQLite
Review generated drafts before posting, periodically clear old databases if not needed, and treat retrieved content as untrusted input.
Running the Telegram script may contact Sogou/WeChat in addition to Telegram.
When run directly, the Telegram monitor also performs a fixed WeChat/Sogou search. It does not send local secrets, but it is extra external network behavior not highlighted in the Telegram-focused description.
url = f"https://weixin.sogou.com/weixin?type=2&query={keyword}" ... results = search_wechat("品牌营销")Document this extra source clearly or remove the test block if only Telegram monitoring is intended.
Installing or configuring dependencies could pull in software outside the reviewed skill files.
Setup depends on Python packages and an external Gmail CLI that are not installed by a reviewed install spec. The packages are common and purpose-aligned, but users must trust the installed versions and the separate CLI.
pip install -r requirements.txt ... The newsletter monitor requires `gog` CLI to be configured with Gmail access.
Install in a virtual environment, pin dependency versions if possible, and verify the provenance of the `gog` CLI before granting Gmail access.