v0.1.2

Openclaw Email Bypass

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:27 AM.

Analysis

The skill mostly matches its email-relay purpose, but it can send mail as you through a public Google Apps Script endpoint and the relay code it tells you to deploy is missing from the package.

GuidanceInstall only if you intentionally want an agent-capable email relay. Before using it, review or obtain the missing Code.gs relay source, use a dedicated Google account if possible, protect and rotate the token, and require human approval or strict recipient limits for outbound emails.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

README.md

You can use the provided script to send emails from any sub-agent or task

The artifacts explicitly encourage agent/sub-agent use of an email-sending function, but do not document confirmation, allowlists, rate limits, or other controls around external email delivery.

User impactAn agent mistake or prompt-driven misuse could send unintended, spammy, or sensitive emails from the user's account.

RecommendationRequire explicit user approval before each email, restrict allowed recipients where possible, add logging and rate limits, and avoid autonomous email sending for high-impact messages.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

README.md

`assets/Code.gs`: The Google Apps Script source code.

The documentation relies on assets/Code.gs as the core relay source, but the provided manifest does not include that file, so the relay code and its token checks are not backed by the included artifacts.

User impactA user may need to fetch or copy unreviewed relay code elsewhere, despite the skill's security claims depending on that code.

RecommendationDo not deploy the relay until the exact Code.gs source is included and reviewed; pin any external dependencies or clearly document where trusted setup code comes from.

Human-Agent Trust Exploitation

SeverityLowConfidenceMediumStatusNote

README.md

User-Owned Infrastructure: You deploy the relay on your own Google account. No third-party servers see your data.

The skill discloses Google Apps Script, but this wording may overstate privacy because the relay and mail delivery still use Google-hosted services.

User impactUsers may underestimate that Google infrastructure processes the message content and relay request.

RecommendationTreat this as a Google-hosted relay, not fully self-hosted infrastructure, and review Google's account, quota, logging, and privacy implications.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

references/setup.md

Execute as: **Me**. Who has access: **Anyone** (The `AUTH_TOKEN` protects it).

The relay is intended to run with the user's Google identity while being reachable as a public web app; access control depends on a shared token.

User impactIf the token or URL is exposed, or if an agent misuses the tool, emails could be sent as the user and may affect account reputation or quotas.

RecommendationUse a dedicated Google account when possible, set a strong random token, rotate it periodically, monitor sent-mail activity, and make the credential requirement explicit before installation.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

scripts/send_email.py

`"token": token` ... `response = requests.post(url, json=payload)`

The client sends the email contents and bearer token to the configured GOOGLE_SCRIPT_URL. This is purpose-aligned, but it is a sensitive webhook-style data boundary.

User impactEmail content and the relay token are transmitted to the configured endpoint; a wrong or compromised URL would receive both.

RecommendationVerify the GOOGLE_SCRIPT_URL, protect the token like a password, avoid placing secrets in email bodies, and rotate the token if exposure is suspected.