Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Daily Medium
v1.0.0Fetch and summarize Medium Daily Digest emails from Gmail. Extracts article URLs, generates Freedium links to bypass paywalls, and provides article summaries...
⭐ 0· 105·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's code and instructions match the stated purpose: it logs into Gmail via IMAP, finds recent messages from medium.com, extracts article URLs, and constructs Freedium mirror links. However, the registry metadata claims 'Required env vars: none' while SKILL.md and the code require EMAIL_ADDRESS and EMAIL_PASSWORD — this metadata discrepancy is an incoherence to surface.
Instruction Scope
Instructions and example code ask the agent (or a user script) to fetch content from a third‑party Freedium mirror (freedium-mirror.cfd) to bypass Medium paywalls. That is consistent with the skill's aim but raises privacy, legal, and trust concerns because fetching mirror pages exposes the user's IP and possibly the article content to an external service. The SKILL.md asks the user to provide an app password and enable IMAP — sensitive actions that are proportional but require careful handling.
Install Mechanism
No install spec; this is an instruction-only skill with a single helper script included. Nothing is being downloaded or written by an automated installer, which reduces installation risk.
Credentials
The code requires EMAIL_ADDRESS and EMAIL_PASSWORD (a Gmail App Password). That is proportionate to the stated function, but the registry metadata incorrectly lists 'none' for required env vars. Requesting an app password and asking users to store it in environment variables is a sensitive operation — users should be aware of the risk of storing persistent credentials in env and consider using OAuth or a disposable app password. No other unrelated credentials are requested.
Persistence & Privilege
Skill does not request permanent 'always' presence, does not modify other skills or system settings, and does not include an install script that persists beyond the included files. Autonomous invocation is allowed by default but not an additional concern here.
What to consider before installing
This skill requires your Gmail address and an App Password to access your inbox via IMAP — those are sensitive credentials. Before installing or running it: (1) note that the registry metadata does not declare these required env vars even though the SKILL.md and code do; that mismatch is a red flag. (2) Understand that the skill constructs and recommends fetching articles through freedium-mirror.cfd to bypass paywalls — that will expose which articles you access and your IP to a third party and may have legal/ethical implications. (3) Prefer creating and using a dedicated, revocable App Password or a throwaway account rather than your primary account, and never paste your primary Gmail password. (4) If you plan to run this, inspect the included script (scripts/fetch_medium.py) yourself — it is short and readable — and consider running it in an isolated environment. (5) If you need stronger safeguards, ask the maintainer to add OAuth support (so you don't store credentials in env), update the registry metadata to list required env vars, or remove/replace the Freedium mirror with an official approach. If you are uncomfortable with providing IMAP access or with paywall bypass behavior, do not install or run this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk970d25hzxek8v7cx34810qxcx8359tm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.