ClawHub

Gmail Inbox Zero Traige

Security checks across malware telemetry and agentic risk

Overview

This Gmail triage skill appears purpose-aligned but needs review because it can read and modify a full inbox, expose email content through AI/Telegram workflows, and asks users to handle a keyring password in an unsafe way.

Install only if you trust the publisher with broad Gmail access. Use a dedicated or low-risk Gmail account where possible, do not store GOG_KEYRING_PASSWORD in shell startup files, confirm exactly what email content is sent to Telegram or AI summarization, and require manual review before executing archive, filter, or unsubscribe batches.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill advertises broad activation language for email triage without clear scope constraints, which can cause the agent to invoke a high-impact email-management workflow in unintended contexts. Because this skill can process all inbox messages and queue destructive actions, overbroad triggering increases the chance of accidental execution against sensitive user mail.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The installation/use instructions add vague phrases like 'triage my emails' and 'process my inbox,' which are generic enough to match ordinary conversation and unintentionally activate the skill. In a capability that reads and modifies Gmail at scale, ambiguous invocation materially raises the risk of unauthorized or mistaken processing.

Missing User Warnings

High
Confidence
93% confidence
Finding
The overview promotes processing all inbox messages and displaying interactive content through Telegram, but it does not prominently warn users that sensitive email data may be accessed, summarized by AI, and exposed through an external messaging platform. This creates a meaningful privacy and data-handling risk, especially for users with confidential or regulated email content.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger phrase "triage my emails" is broad enough that it could be invoked during ordinary conversation, causing the skill to activate when the user did not intend to process their inbox. In a skill that can summarize and queue mailbox actions across all inbox messages, unintended activation increases the risk of privacy exposure and accidental destructive actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README highlights batch actions like archive, filter, and unsubscribe over ALL inbox messages without warning users that these operations can be destructive or difficult to reverse at scale. Because this is an email-management skill with broad mailbox scope, missing warnings and safeguards make accidental loss of visibility, filtering mistakes, or unwanted unsubscribe actions more likely.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The usage examples use very generic phrases like 'Process my inbox' and 'Help me achieve inbox zero', which are likely to overlap with ordinary user conversation and can cause the skill to activate unintentionally. In a skill that can read inbox contents and later execute batch email actions, accidental invocation increases the chance of unintended access to sensitive mail data or unintended mailbox modifications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup instructs users to export a keyring password as an environment variable and later suggests persisting it in shell startup files, which exposes a sensitive secret to shell history, process environments, logs, and other local users or tools. Because this password unlocks Gmail-related credentials for non-interactive use, compromise of the variable can enable unauthorized email access through the authenticated CLI.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The activation phrase "Triage my emails" is broad enough that the skill could be invoked unintentionally when a user makes a general request about email triage. Because this skill performs high-impact mailbox operations, accidental invocation could expose message contents to AI summarization and lead to unintended bulk actions on user email.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The example phrases "Triage my emails" and "Process my inbox" are ambiguous and do not clearly constrain the scope to Gmail, this specific skill, or read-only versus destructive actions. In context, this increases the risk that normal conversational requests trigger a skill capable of batch archiving, filtering, or unsubscribing across the entire inbox.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description emphasizes speed and inbox-zero processing of ALL messages, but it does not warn users that the skill can perform bulk modifications to mailbox state and may summarize email content with AI. Without a clear warning, users may underestimate the sensitivity of the data being processed and the consequences of executing queued actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructions tell users to export `GOG_KEYRING_PASSWORD` directly in the shell without warning that this places a sensitive credential in environment variables, shell history, and potentially process inspection or logs. Even though OAuth is used for Gmail, mishandling the keyring password can compromise stored tokens or account access workflows.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases 'Triage my emails' and especially 'Process my inbox' are broad enough to match ordinary user requests and can cause the skill to activate in situations where the user did not intend bulk email operations. In this skill's context, accidental invocation is more dangerous because it can queue destructive mailbox actions such as archive, filter creation, and unsubscribe workflows across all inbox messages.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow emphasizes fast queued execution of archive, filter, and unsubscribe actions but does not prominently warn users that these are potentially destructive bulk mailbox modifications. In an inbox-management skill operating over all inbox messages, lack of a clear warning increases the chance of user harm through mistaken archiving, overbroad filters, or unwanted unsubscribes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill advertises AI summaries and full email viewing without warning that email contents, metadata, and potentially sensitive personal or business information may be processed and displayed. In the context of Gmail triage, this raises meaningful privacy risk because users may not realize sensitive inbox content is being exposed to summarization logic or surfaced in external interfaces like Telegram.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal