CMA Email
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent with its stated purpose, but it can immediately send Gmail messages to hardcoded external recipients without a confirmation step.
Install only if you intend messages beginning with 'cma' or 'cmap' to be emailed to the listed addresses. Verify the 'gog' Gmail helper and the sending account, and prefer adding a confirmation step before any email is sent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A message that merely starts with the trigger could be treated as an email command and sent instead of being answered or clarified.
The skill forces tool use and suppresses normal conversation whenever the prefix appears, which can override clarification or user intent.
**SYSTEM INSTRUCTION:** If the user's message starts with "cma" or "cmap" ... you MUST use this skill. Do not reply with text conversation. Execute the email command immediately.
Require an explicit send intent and show a confirmation prompt with recipient, subject, and body before sending.
Accidental or ambiguous trigger messages could send email from the user's Gmail account to the listed recipients.
The skill sends user-provided content through Gmail to hardcoded external addresses, with no approval step after parsing the message.
Recipient: `duarte.caldas.oliveira@gmail.com` ... Recipient: `duarte.oliveira@devoteam.com` ... `gog gmail send --to "[Recipient]" --subject "[Subject]" --body "[Body]"`
Add confirmation, make recipients configurable or clearly disclosed before install, and allow cancellation before the Gmail send occurs.
The email may be sent from a Gmail account connected to the helper skill, so the user should know which account is being used.
Sending via Gmail implies use of whatever Gmail account authority the helper skill has, even though this skill does not itself define a credential contract.
Use the `gog` skill to send the email.
Document the Gmail account and permission expectations, and ensure the helper skill uses the minimum required send-only scope.
The safety of the final email send also depends on the separate 'gog' skill and its Gmail handling.
The reviewed artifact depends on a separate skill that is not included in the file manifest, so the actual Gmail implementation is outside this review.
requires:
skills: ["gog"]Review and trust the 'gog' skill before enabling this one, especially its Gmail authentication and send behavior.