Skillv1.2.0

ClawScan security

Gmail Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 13, 2026, 7:51 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's scripts and runtime instructions request persistent full‑access Gmail credentials, daemonize background jobs that send WhatsApp updates (including log tails), and reference environment/config items that are not declared in the registry metadata — these mismatches and the automatic external notifications merit caution and review before installing.
Guidance: Key points to consider before installing: - Metadata mismatch: The registry claims no required env vars/binaries, but SKILL.md and the scripts require the 'gog' CLI and GMAIL_ACCOUNT, and the background wrapper requires WHATSAPP_NOTIFY_TARGET. Ask the author to correct the declared requirements. - Full Gmail scope: The included gmail-auth-full-scope.sh requests https://mail.google.com/ (full access) and saves a persistent token at ~/.gmail-skill/full-scope-token.json. That token allows permanent deletion of messages. Only grant this to software you fully trust; consider running the auth script manually and inspecting the token lifecycle. - Automatic WhatsApp notifications: The background wrapper daemonizes tasks and sends WhatsApp updates (including the last ~50 lines of the task log) every ~30s to WHATSAPP_NOTIFY_TARGET via openclaw message send. This can leak message metadata or other sensitive output to the notification target. If you do not want logs sent externally, do not set WHATSAPP_NOTIFY_TARGET or modify the wrapper. - Local credentials access: Scripts read gog credentials from standard config paths and call 'gog auth tokens export'. This means the skill will access other stored credentials — verify you are comfortable with that and that gog credentials are not used by other critical services. - Persisted background jobs: The skill creates ~/.gmail-skill/jobs and uses /tmp logs. Background jobs continue after agent timeouts. Confirm you want detached processes that can run independently and send notifications. Recommended actions: 1. Request corrected metadata and an explanation from the skill author (declare WHATSAPP_NOTIFY_TARGET, gog requirement, and full-scope intent). 2. Review the scripts line-by-line (they are included) or have a trusted admin do so; test on a non-production/test Gmail account first. 3. If you do install, do not run the full-scope OAuth flow unless necessary; prefer gmail.modify scope if you only need trashing (not permanent deletion). 4. Remove or disable WhatsApp notifications (or set the notify target to a controlled test number) if you are concerned about data leakage from logs. If any of the above items are unacceptable, treat this skill as high-risk and do not install it in an account containing sensitive emails.

Review Dimensions

Purpose & Capability: concernThe name/description (Gmail automation: summarize, labels, purge, filing, deletion) is consistent with the included scripts, but the package metadata advertised no required env vars/binaries while SKILL.md and scripts clearly require the 'gog' CLI and a GMAIL_ACCOUNT env var. The scripts also read gog credentials from the user's home (~/Library/Application Support/gogcli or ~/.config/gogcli) and call 'gog auth tokens export' — accessing other tool credentials is not declared in the registry and is unexpected to a casual reader. The skill also includes an OAuth helper that requests full Gmail scope (permanent delete) — that level of access is plausible for a deletion feature but should be explicitly declared and justified in metadata.
Instruction Scope: concernSKILL.md enforces that the agent MUST run provided shell scripts (never skip, never fabricate results) and MUST use the gmail-background-task.sh wrapper for many capabilities. The wrapper daemonizes tasks and repeatedly sends WhatsApp progress updates including the last lines of the task log (tail -50). That means log contents (which may include message metadata and possibly message snippets emitted by other scripts) will be sent out-of-band to a WhatsApp target. The SKILL.md lists only GMAIL_ACCOUNT in requires, but the wrapper actually requires WHATSAPP_NOTIFY_TARGET (and optionally WHATSAPP_UPDATE_INTERVAL). The instructions also insist the agent never use timeout or run scripts directly, forcing use of the notifier wrapper.
Install Mechanism: noteThere is no install spec (instruction-only), but the package contains multiple executable scripts that will be written to disk when the skill is installed and executed by the agent. No external downloads/URLs are used by the scripts themselves. Because code is present and executed, this is higher risk than a pure instructions-only skill, but there is no remote installer or URL extraction step.
Credentials: concernThe top-level registry metadata claimed no required env vars, but SKILL.md declares GMAIL_ACCOUNT and the scripts in practice require additional environment settings: WHATSAPP_NOTIFY_TARGET and optionally WHATSAPP_UPDATE_INTERVAL. The scripts also depend on gog CLI and on gog credentials stored in the user's config directory (they read credentials.json and export tokens). The gmail-auth-full-scope.sh grants and stores a full-scope token (~/.gmail-skill/full-scope-token.json) capable of permanent deletion. Requesting/creating a persistent full‑scope token and reading other CLI credentials is a high‑privilege action and should be explicitly declared; its absence from metadata is a notable mismatch.
Persistence & Privilege: concernThe skill writes persistent artifacts under ${HOME}/.gmail-skill (job registry and, optionally, a full-scope OAuth token) and daemonizes background jobs that survive the agent runtime. The background monitor will repeatedly send WhatsApp updates (and final results) using openclaw message send. Persisting a full-scope token and running detached processes that automatically send external notifications increases blast radius — combined with the undeclared WhatsApp notifier this is a meaningful privilege escalation relative to a simple query/summary skill.