ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gmail Inbox Zero Traige

v1.0.1

Gmail Inbox Zero Triage - Interactive inbox management using gog CLI with Telegram buttons. Use when the user wants to achieve inbox zero, triage their Gmail inbox interactively, process ALL inbox messages (read and unread) with AI summaries and batch actions (archive, filter, unsubscribe). OAuth-based, no passwords needed.

2· 1.5k·2 current·2 all-time
by@poisondminds
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (Gmail triage via gog CLI + Telegram) matches the documented behavior, but the package metadata declares no binaries, no env vars, and no code files while the SKILL.md repeatedly references scripts (scripts/gog_processor.py, scripts/queue_manager.py, scripts/execute_queue.py) and JSON state files. Those scripts are not present in the provided file list, so the skill as packaged cannot implement its claimed functionality. This mismatch is a significant incoherence.
!
Instruction Scope
SKILL.md instructs the agent to fetch ALL inbox messages, save batches to current_batch.json, queue actions in action_queue.json, run multiple Python scripts, and handle Telegram callbacks. It also tells users to export GOG_KEYRING_PASSWORD and in SETUP.md suggests exporting HOME=/root — that last step is unrelated to Gmail triage and could change runtime behavior. The instructions therefore touch file system state and sensitive env vars outside the declared minimal scope and grant broad discretion (e.g., 'process ALL messages') without the actual implementation included.
Install Mechanism
There is no formal install spec in the package (instruction-only). Documentation tells users to install the third-party 'gog' CLI (brew install steipete/tap/gogcli). Installing a third-party CLI via Homebrew is a reasonable dependency for this purpose, but because the skill lacks its own implementation files, it's unclear where the referenced Python scripts would come from — this ambiguity raises risk if the platform later downloads or expects external code.
!
Credentials
Registry metadata declares no required env vars or primary credential, yet SKILL.md and SETUP.md explicitly instruct users to export GOG_KEYRING_PASSWORD and even advise adding it to shell profile. Recommending setting HOME=/root is unrelated to the stated purpose. Asking users to store a keyring password in an environment variable is a sensitive practice and should have been declared and justified in metadata; the omission is inconsistent and risky.
Persistence & Privilege
The skill does not request always:true and does not claim to modify other skills or system-wide configs. It does, however, instruct storing queue and batch state in local JSON files and suggests persisting the keyring password in shell profiles (persistent). Persisting sensitive env vars in user shells increases exposure; the skill's claimed ephemeral queue contrasts with the guidance to persist credentials.
What to consider before installing
This package has internal inconsistencies you should resolve before installing. Key points to consider: 1) The SKILL.md references Python scripts (scripts/gog_processor.py, queue_manager.py, execute_queue.py) and JSON state files, but those code files are not included in the provided package — ask the author to supply the scripts or confirm where they come from. 2) The docs instruct you to export GOG_KEYRING_PASSWORD (sensitive) and even to export HOME=/root — do not set HOME=/root unless you understand and accept the implications; it's unrelated to Gmail access. Avoid exporting credentials into persistent shell profiles; prefer OS keyring interactive auth or short-lived tokens. 3) Verify the gog CLI source (https://gogcli.sh) and review any code that would be run locally (the missing scripts) for network calls, logging, or exfiltration before running. 4) If you still want to try it, run the skill in an isolated environment (throwaway account or VM/container) and insist the author add explicit requires.env metadata and include the implementation files. 5) If the author cannot provide the missing scripts or explain the HOME=/root instruction, treat the package as unsafe to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk973eva86k6n8419zq81f1wej580wjgg
1.5kdownloads
2stars
2versions
Updated 21h ago
v1.0.1
MIT-0
@poisondminds
latest
Download

Gmail Inbox Zero Triage

Achieve inbox zero with AI-powered email triage! Process ALL Gmail inbox messages interactively with summaries and batch actions using OAuth (no passwords needed).

Features

OAuth-based - No passwords, secure authentication via gog
AI summaries - Quick 1-line summary of each email
Batch processing - Queue actions instantly, execute at the end
Telegram buttons - Archive, Filter, Unsubscribe, View
Inbox zero focus - Process ALL inbox messages (read + unread)
Fast workflow - No waiting between actions

Workflow

  1. User triggers: "Triage my emails" or "Process my inbox"
  2. Fetch ALL inbox messages from Gmail (up to 20 at a time)
  3. Display all emails at once with:
    • Subject and sender
    • AI-generated summary (1 line)
    • Telegram inline buttons for actions
  4. User clicks actions for each email (queued instantly, no API calls yet)
  5. User clicks "Done" button to execute all queued actions in batch
  6. Repeat until inbox zero! 🎯

Prerequisites

Requires: gog CLI with authenticated Gmail account.

Check if already set up:

gog auth list

If not set up, user needs to run gog auth add (see gog skill for OAuth setup).

Set environment variable for keyring password:

export GOG_KEYRING_PASSWORD="your-password"

Telegram Button Layout

Each email displays with 4 action buttons:

[📥 Archive] [🔍 Filter]
[🚫 Unsub]   [📧 View]
  • 📥 Archive - Remove from inbox, mark as read
  • 🔍 Filter - Create filter to auto-archive future emails from sender
  • 🚫 Unsubscribe - Find and open unsubscribe link
  • 📧 View - Show full email content
  • No click = Skip (leave in inbox)

At the end:

[✅ Done - Execute All Actions]

Action Queue System

Actions are queued using short callback codes to avoid Telegram's 64-char limit:

  • q:a:0 = queue archive, message index 0
  • q:f:0 = queue filter, message index 0
  • q:u:0 = queue unsubscribe, message index 0
  • q:v:0 = view full email, message index 0 (executes immediately)
  • q:done = execute all queued actions

Queue is managed via scripts/queue_manager.py and stored in action_queue.json.

Scripts

gog_processor.py

Main processor for Gmail operations via gog CLI.

List inbox messages:

python3 scripts/gog_processor.py list <account> [limit]

Archive a message:

python3 scripts/gog_processor.py archive <account> <msg_id>

Find unsubscribe link:

python3 scripts/gog_processor.py unsubscribe <account> <msg_id>

Create filter:

python3 scripts/gog_processor.py filter <account> "<from_header>"

Get message body:

python3 scripts/gog_processor.py body <account> <msg_id>

queue_manager.py

Manages action queue for batch execution.

Add action to queue:

python3 scripts/queue_manager.py add <action> <msg_id> [from_header]

Get queue:

python3 scripts/queue_manager.py get

Clear queue:

python3 scripts/queue_manager.py clear

execute_queue.py

Executes all queued actions in batch.

python3 scripts/execute_queue.py <account>

Returns JSON with results of all executed actions.

Implementation Steps

  1. Load current batch: Fetch inbox messages and save to current_batch.json
  2. Display all emails: Show each with summary and buttons
  3. Handle button callbacks:
    • Archive/Filter/Unsub: Add to queue via queue_manager.py
    • View: Fetch and display full email immediately
    • Done: Execute queue via execute_queue.py
  4. Show results: Report archived count and remaining inbox count
  5. Repeat if needed: Fetch next batch or celebrate inbox zero

AI Summary Guidelines

Generate concise 1-line summaries:

  • Receipts/Invoices: "Payment receipt for $X. Financial record."
  • Security alerts: "Security notification about [action]. [Important/Standard] alert."
  • Newsletters: "Newsletter about [topic]. No action required."
  • Calendar: "Calendar [event type] for [date/time]."
  • Legal: "Legal [document type]. [Brief context]."

Keep it simple, factual, and action-oriented.

Security Notes

  • OAuth-based authentication - No passwords needed, uses gog's OAuth tokens
  • Tokens stored securely by gog CLI in system keychain
  • Read/modify permissions - gog only gets access to what user grants
  • Queue stored locally - Action queue is temporary, cleared after execution

Error Handling

Common issues:

  • gog not authenticated: Run gog auth add <account>
  • Account not found: Check gog auth list for available accounts
  • No inbox messages: Success state - inbox zero achieved!
  • Permission denied: User may need to re-authenticate with gog
  • Keyring password: Set GOG_KEYRING_PASSWORD environment variable

Dependencies

  • gog CLI - Must be installed and authenticated (see gog skill)
  • Python 3 - Standard library only (subprocess, json, re, pathlib)

No additional pip packages needed.

Tips for Best Experience

  • Process regularly: Triage inbox daily to maintain inbox zero
  • Use filters liberally: Auto-archive recurring newsletters and notifications
  • Archive aggressively: If you don't need it now, archive it (searchable in All Mail)
  • Batch mode is fast: Process 10-20 emails in under a minute
  • Trust the summaries: AI summaries are accurate for quick decisions

Comments

Loading comments...