Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Inbox Cleanup
v1.0.3IMAP bulk email triage — pattern-based delete/archive with dry-run mode. Use when: cleaning up large email inboxes, bulk-deleting emails from specific sender...
⭐ 0· 377·1 current·1 all-time
byNissan Dookeran@nissan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (IMAP bulk delete/archive) matches the included script which connects to an IMAP server and operates on UIDs. HOWEVER the registry metadata lists no required environment variables or primary credential while the SKILL.md and the script clearly require IMAP credentials (IMAP_HOST, IMAP_PORT, IMAP_USER, IMAP_PASSWORD, etc.). That mismatch is incoherent: a legitimate IMAP tool should declare its need for credentials in the registry metadata.
Instruction Scope
SKILL.md and the script limit actions to reading FROM/SUBJECT headers and performing IMAP STORE/COPY/EXPUNGE operations (delete/archive). Dry-run is the default and the tool encourages reviewing results before applying. The instructions do not direct email content to external endpoints nor do they ask the agent to read unrelated system files. The metadata correctly indicates outbound network access (to the IMAP server).
Install Mechanism
There is no external install/download step — the repository bundles a local Python script and a YAML example. This is low-risk compared with pulling binaries from an arbitrary URL. The script optionally requires PyYAML (the code exits with guidance if missing), which is a standard Python dependency.
Credentials
The tool reasonably requires IMAP credentials and an archive folder name; these are proportionate to its functionality. The concern is that the registry metadata did not declare these environment variables or a primary credential, which could mislead users and automated permission reviewers. Also note IMAP_SKIP_CERT_VERIFY=true support (used for Proton Bridge/self-signed certs) — useful for localhost but dangerous if enabled for remote servers because it disables TLS cert verification and increases MITM risk.
Persistence & Privilege
The skill does not request persistent/global privileges (always:false) and does not modify other skills or system-wide agent settings. It acts on user-supplied IMAP credentials at runtime. Autonomous invocation is allowed by default but not combined with other elevated privileges here.
What to consider before installing
This tool is coherent with its stated purpose (it connects to your IMAP server and deletes/archives messages). Before installing: (1) Confirm you trust the publisher — source/homepage is unknown. (2) Expect to provide your IMAP username/password (or app-specific password); the registry incorrectly omits these required env vars — treat that as a red flag. (3) Always run a dry-run first and review matches. (4) Avoid enabling IMAP_SKIP_CERT_VERIFY for remote servers (only use it for local proxies like Proton Bridge). (5) If you plan to use it, inspect the bundled scripts yourself or run them in an isolated environment; consider using an application-specific password or a secrets manager rather than pasting your primary mailbox password.Like a lobster shell, security has layers — review code before you run it.
latestvk97dynct87th7k207jj6js9j8983seb0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.