email-pro-optimized
WarnAudited by ClawScan on May 10, 2026.
Overview
This email skill mostly matches its purpose, but it asks for broad mailbox authority and includes unrelated scripts that can sync or push skill files outside the email workflow.
Review the OAuth scopes before authorizing, prefer your own Gmail/Outlook OAuth app credentials, and do not run the auto-push or sync scripts unless you intentionally want developer publishing behavior. Confirm every send action and attachment before allowing the agent to use the configured mailbox.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Authorizing the skill may grant broad mailbox access or modification rights, depending on the provider and app configuration.
The OAuth flow requests Gmail modification authority and Microsoft Graph default permissions, which can be broader than simple read/send email operations and are not clearly bounded in the metadata.
'scope': 'https://www.googleapis.com/auth/gmail.modify' ... 'scope': 'https://graph.microsoft.com/.default'
Use least-privilege OAuth scopes, document the exact permissions users will grant, and declare the credential/config requirements in metadata.
A user may authorize through an app registration whose ownership, configured permissions, and long-term control are unclear.
The Outlook authorization helper embeds a preconfigured Azure app client secret, tenant ID, and account name instead of requiring user-owned OAuth app settings.
--client-id "0360031a-..." \ --client-secret "914fb58f-..." \ --tenant-id "40a99b83-..." \ --name "outlook_live"
Remove hard-coded OAuth app credentials, require users to provide their own client configuration, and explain who controls the app registration.
If invoked incorrectly, the agent could send messages or attachments from the configured mailbox.
The skill can send email to arbitrary recipients and attach local files when invoked. This is core email functionality, but it is high-impact.
send_parser.add_argument('--to', required=True, help='收件人') ... send_parser.add_argument('--attach', nargs='+', help='附件')Confirm recipient, subject, body, account, and attachments before sending, especially when the agent proposes a send command.
Private email content may enter the conversation context, and malicious emails could contain instructions that should not be trusted.
Email snippets and fetched message content are returned to the agent/user as JSON, which is expected for an email reader but may include sensitive or untrusted message text.
'snippet': self._get_snippet(msg)
Treat email bodies as untrusted content, avoid broad fetching unless needed, and do not let instructions inside emails override the user’s intent.
If run, this script could publish local skill changes to a remote repository, which is outside normal email-management behavior.
An email skill includes an unrelated helper that runs shell commands to stage, commit, and push repository changes to GitHub.
subprocess.run(cmd, shell=True, cwd=cwd or SKILL_DIR, ...)
...
run_command("git add -A")
...
run_command(f"git push origin {branch}")Remove this script from the distributed skill or clearly separate it as developer-only tooling that agents should not invoke.
Running it could propagate changes into another workspace and create unexpected cross-project effects.
A bundled update script copies skill files into a separate fixed workspace and later suggests publishing updates, which is unrelated to email handling.
WORKSPACE_DIR = Path.home() / '.openclaw' / 'workspace-telegram-bot1' ... shutil.copy2(src, dst)
Do not run the sync/update scripts unless you understand the target workspace; remove or gate this developer workflow from the user-facing skill.