Skillv1.0.0

ClawScan security

Nylas Email, Calendar & Contacts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 4:15 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (Nylas access) — it only asks for a Nylas API key — but it is instruction-only and tells the agent/user to install an external npm plugin, so you should verify that package and the key scope before installing.
Guidance: This skill appears to do what it says: it needs your NYLAS_API_KEY so the plugin can access your email, calendar, and contacts. Before installing or letting an agent run the commands: 1) Verify the npm/OpenClaw plugin (@nylas/openclaw-nylas-plugin) publisher and review its package/homepage source (the registry metadata here shows no homepage). 2) Limit the API key's scope if possible and use a dedicated key/account for integrations; rotate/revoke it if you stop using the plugin. 3) Be aware the SKILL.md tells you to install a third-party package — that fetches code from a registry, which can run arbitrary code during install. If you are unsure, inspect the package code or install it manually rather than allowing an automated agent to do it. 4) If you do not want the agent to perform installs or change config autonomously, do not grant it permission to execute system commands or install plugins.

Review Dimensions

Purpose & Capability: okName/description align with requested credential: NYLAS_API_KEY is the expected primary credential for a Nylas integration. No unrelated environment variables or unexpected binaries are requested.
Instruction Scope: okSKILL.md stays within the stated domain: it instructs installing an OpenClaw Nylas plugin, setting the Nylas API key, and running Nylas CLI status/discover commands. It does not ask to read unrelated files or extra environment variables.
Install Mechanism: noteThe skill is instruction-only and has no install spec, but it directs users/agents to run `openclaw plugins install @nylas/openclaw-nylas-plugin` (an npm/CLI plugin). Installing that package will fetch and run third-party code from a registry (moderate risk). The SKILL.md also links to the npm package and CLI docs; verify the publisher and package contents before installing.
Credentials: okOnly NYLAS_API_KEY is required and is declared as the primary credential; this is proportional for an email/calendar/contacts integration. The doc correctly instructs storing that key in OpenClaw config. Note that a single API key may grant access to multiple connected accounts, as described.
Persistence & Privilege: notealways:false (normal). The instructions tell the agent/user to install a plugin and write the Nylas key into OpenClaw config, which modifies agent configuration for this plugin (expected). If you allow the agent to run installation commands autonomously, it could install/run code from npm — consider whether you want the agent to perform installs without manual review.