Back to skill
Skillv0.1.1
ClawScan security
Gmail · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 6, 2026, 8:42 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions line up with its stated Gmail-integration purpose: it asks only for a MorphixAI API key and instructs use of mx_gmail/mx_link via the Morphix proxy; nothing in the skill requests unrelated system access.
- Guidance
- This skill appears internally consistent with a Morphix-proxied Gmail integration. Before enabling: 1) verify you trust morphix.app and the openclaw-morphixai plugin (source, publisher, privacy policy); 2) understand that MORPHIXAI_API_KEY will allow Morphix to act on your Gmail via the proxy — review what access the service grants; 3) the skill is currently marked '暂不可用' until you link a Gmail account via mx_link/connections; and 4) because this is instruction-only, no code is installed by the skill itself, but the external plugin must be installed separately. If any of those external dependencies are unfamiliar or untrusted, do not install or provide the API key.
Review Dimensions
- Purpose & Capability
- okName/description claim Gmail integration via a MorphixAI proxy. The only required environment variable is MORPHIXAI_API_KEY and the SKILL.md calls mx_gmail/mx_link tools — these are consistent with a proxy-based Gmail adapter. There are no unrelated credentials, binaries, or config paths requested.
- Instruction Scope
- okThe SKILL.md is instruction-only and tells the agent to use mx_gmail actions (list_messages, get_message, send_mail, etc.), to set MORPHIXAI_API_KEY, and to link a Gmail account. It does not instruct reading arbitrary files, other env vars, or sending data to unexpected endpoints beyond morphix.app/mx_gmail.
- Install Mechanism
- noteThere is no install spec in the registry (lowest technical risk). The README instructs the user to run `openclaw plugins install openclaw-morphixai` and to obtain an API key from morphix.app — this is reasonable but introduces an external dependency. The user should verify the plugin/source (openclaw-morphixai and morphix.app) before installing.
- Credentials
- okOnly MORPHIXAI_API_KEY is required, which is proportional: the skill delegates Gmail access to Morphix. It does not request unrelated tokens, passwords, or multiple credentials. Note: the API key grants whatever access Morphix permits, so trust in Morphix is required.
- Persistence & Privilege
- okFlags show no elevated persistence: always is false and the skill is user-invocable. It can be invoked autonomously by the agent (default behavior), which is normal and expected; there is no request to modify other skills or system-wide settings.