Skillv1.0.7

ClawScan security

Safe Email · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 9:59 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with its stated purpose (reading a single dedicated inbox via IMAP), but you should still use a dedicated account and treat the IMAP app password as sensitive.
Guidance: This skill appears to do what it says: it will connect to an IMAP mailbox (using himalaya and the provided IMAP username + app password) and read the newest forwarded message when you explicitly ask it to. Before installing: (1) Use a dedicated inbox (as recommended) so the app password only exposes that mailbox. (2) Provide the app password via your runtime secret store (do not embed it in the skill). (3) Be aware that the app password grants full mailbox access—rotate/delete it if you stop using the skill. (4) Confirm the agent enforces the explicit-trigger rule and that you are comfortable with the agent's access to the mailbox; ambiguity in what counts as the “relevant” message could lead to reading an unintended email. (5) If you need stronger guarantees, consider running this skill only in an environment you control or using short-lived credentials.

Review Dimensions

Purpose & Capability: okName/description (privacy-first IMAP extraction) matches the declared requirements: it asks for an IMAP CLI (himalaya) and IMAP credentials (username + app password), which are exactly what a mailbox-reading skill needs.
Instruction Scope: noteSKILL.md restricts behavior (explicit trigger required, read only newest relevant message, optional deletion only with consent) and references only the declared IMAP credentials. However, some language is intentionally discretionary (e.g., deciding which message is the "newest relevant candidate"), which places trust in the agent's judgment. The policy relies on runtime enforcement rather than technical constraints, so there's a small risk the agent could read an unintended message if the trigger or relevance test is ambiguous.
Install Mechanism: okInstruction-only skill with no install spec or downloads; lowest-risk install posture. It assumes a preinstalled himalaya binary, which is reasonable for an IMAP CLI workflow.
Credentials: noteRequested env vars (SAFE_EMAIL_IMAP_USERNAME and SAFE_EMAIL_IMAP_APP_PASSWORD) are proportional to the task. Note that an IMAP app password grants full access to the dedicated mailbox, so it is high-sensitivity data and should be provisioned securely and rotated if compromised. The metadata did not declare a primary credential, but that is not inconsistent.
Persistence & Privilege: okalways is false and the skill requires explicit triggers and forbids auto-polling in prose/metadata, limiting continual background access. Autonomous invocation is allowed by default, but the skill's explicit-trigger policy reduces risk.