Gmail Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Gmail-management purpose, but it has high-impact Gmail deletion authority, persistent background execution, full-scope token handling, and automatic WhatsApp result forwarding that users should review carefully.
Only install this if you are comfortable granting broad Gmail access and allowing background jobs that can delete email. Before use, verify the scripts, set a safe Gmail account and WhatsApp target, avoid the full-scope token unless permanent delete is truly needed, and require explicit previews/confirmations for any deletion task.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong label, date, or invocation could remove many Gmail messages, and with the full-scope token the removal can be irreversible.
This script can permanently delete or trash every matching message for a label/date query. The script itself has no dry-run or interactive confirmation before performing the deletion.
if can_delete:
service.users().messages().delete(userId="me", id=msg_id).execute()
else:
service.users().messages().trash(userId="me", id=msg_id).execute()Require a preview of affected messages and an exact per-run confirmation showing account, label, date, count, and whether deletion is permanent; default to trash unless the user explicitly requests permanent deletion.
A malformed or maliciously named label/task argument could turn a Gmail operation into arbitrary shell execution under the user's account.
The background wrapper accepts a command string and runs it through shell eval. If user-controlled values such as label names or task arguments are embedded unsafely, shell metacharacters could execute unintended local commands.
COMMAND="$@" ... eval "$COMMAND" >> "$LOG_FILE" 2>&1 &
Remove eval, pass commands as an argument array, and whitelist the specific Gmail scripts and arguments the wrapper is allowed to run.
Once started, a cleanup or deletion task may keep running even if the user closes the session or changes their mind.
The skill intentionally launches long-running Gmail tasks outside the active agent session. Several of those tasks are destructive or account-mutating, and the artifacts do not show a cancellation workflow.
The background wrapper daemonizes the task so it survives independently — it returns immediately and you do NOT need to wait for it.
Provide a clear cancel/stop command, avoid background mode for destructive operations unless explicitly requested, and confirm the operation immediately before daemonizing it.
Gmail-related information may be forwarded to WhatsApp without a per-task choice to keep results local.
Background task results and log tails are automatically sent over WhatsApp to an environment-configured target. Those logs can include Gmail account details, label names, message IDs, counts, and task output.
OUTPUT=$(tail -50 "$LOG_FILE") ... openclaw message send --channel whatsapp --target "$NOTIFY_TARGET" --message "$1"
Make WhatsApp delivery opt-in, declare WHATSAPP_NOTIFY_TARGET in metadata, redact sensitive output, and offer a local-only mode for Gmail job results.
Installing and using the full-scope flow grants the skill very broad long-lived access to the user's Gmail account.
The skill can obtain and persist a full Gmail-scope refresh token, which is powerful enough for permanent deletion. The registry metadata declares no primary credential or required environment variables.
SCOPES = ["https://mail.google.com/"]
...
"refresh_token": creds.refresh_token,
...
with open(token_file, "w") as f:
json.dump(token_data, f, indent=2)Use least-privilege Gmail scopes by default, store tokens with restrictive permissions, verify the token account before use, and clearly declare credential requirements in metadata.
The skill may fail or require manual installation of tools with their own permissions and provenance.
The scripts rely on external tools and Python packages, while the registry says there is no install spec and no required binaries or environment variables. This is a dependency/provenance disclosure gap rather than direct malicious behavior.
# Requirements: # - gog CLI (for listing labels and message operations) # - python3 with google-auth and google-api-python-client # - jq (for JSON parsing)
Add complete install metadata, pinned dependency guidance, and explicit setup instructions for gog, jq, Python packages, GMAIL_ACCOUNT, and notification settings.