Skillv1.0.1

ClawScan security

A safer e-mail assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 9, 2026, 4:38 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required environment variables align with a self-hosted email-gateway assistant; nothing in the bundle requests unrelated credentials or external endpoints beyond the declared gateway.
Guidance: This skill appears coherent for connecting to a self-hosted ai-email-gateway. Before installing: (1) make sure GATEWAY_BASE_URL points to a gateway you control/trust; do not point it at unknown third-party servers. (2) Store the GATEWAY_API_KEY securely and avoid pasting it into logs—the helper script sends the key in Authorization headers but will not intentionally print the key. (3) Be aware the included script prints JSON to stdout and, as written, requests include_body=True (it may expose message bodies in agent outputs or logs); if you want to reduce data exposure, set include_body=false or avoid running the script. (4) The state file (.agent_state_email.json) lives in the working directory and contains seen message ids and timestamps—move it if that is a concern. (5) Confirm you want the agent to be able to read message text before enabling autonomous invocations. If you want extra assurance, review the gateway server code at the linked repo and run the gateway in a network-isolated environment.

Purpose & Capability: okName/description match the requested env vars (GATEWAY_BASE_URL, GATEWAY_API_KEY, ACCOUNT_ID) and included scripts operate only against the configured gateway API endpoints (/sync, /jobs, /messages:list, /messages:thread, /drafts). No unrelated cloud keys or system-level credentials are requested.
Instruction Scope: noteSKILL.md and the script stay within the gateway API and local state file. One inconsistency: SKILL.md emphasizes defaulting to 'cleaned body text' and avoiding raw bodies, but scripts/check_new_messages.py calls messages:list with include_body=True by default (i.e., it will fetch message bodies). This can surface message content to stdout/agent logs—consider making include_body default to false unless explicitly requested.
Install Mechanism: okInstruction-only skill with no install spec; one small Python helper script is included. No downloads, package installs, or archive extraction are present.
Credentials: okRequired env vars are limited to the gateway base URL, API key, and account id(s) which are appropriate for a self-hosted gateway integration. No unrelated SECRET/TOKEN variables or system config paths are requested.
Persistence & Privilege: okalways:false (default). The skill writes a local state file (.agent_state_email.json by default) that contains only polling metadata (last_checked_at, seen_ids). This is proportional to its polling/sync function; it does not modify other skills or system-wide configs.