ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gmail Bridge

Google Workspace Bridge (Gmail, Drive, Sheets, Calendar) via local API at http://127.0.0.1:8787

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 203 · 1 current installs · 1 all-time installs
by@spinzerus
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (local Google Workspace bridge) align with the provided script and examples. Required binaries (curl, jq) are reasonable for an HTTP-to-jq CLI wrapper. There are no excessive permissions or unrelated credentials requested.
!
Instruction Scope
SKILL.md and run.sh mostly match for read/list/get operations, but SKILL.md documents a 'forward' command and duplicates some sections while run.sh has no 'forward' case — mismatch. SKILL.md states the bridge is at http://127.0.0.1:8787, but the script reads GMAIL_BRIDGE_URL to override the base URL (the SKILL.md documents BRIDGE_SECRET but not GMAIL_BRIDGE_URL). That means the tool can be pointed at a remote endpoint via an environment variable not called out in the README, creating a risk that email/content could be sent off-machine if GMAIL_BRIDGE_URL is set.
Install Mechanism
Instruction-only with a small shell script; there is no install spec or external downloads, so nothing is written to disk beyond the shipped run.sh.
!
Credentials
SKILL.md documents an optional BRIDGE_SECRET env var (reasonable). However, the script also honors GMAIL_BRIDGE_URL and GMAIL_BRIDGE_URL is not documented in SKILL.md; the skill declares no required env vars but will act on that undocumented variable. An attacker or misconfiguration that sets GMAIL_BRIDGE_URL could redirect data to a non-local host. No other credentials are requested.
Persistence & Privilege
The skill is not always-on, has no install steps that modify system or other skills, and does not request persistent privileges. Model invocation is allowed (default) which is normal for skills.
What to consider before installing
This skill is close to benign but has a few red flags you should address before installing or using it: - Confirm the bridge really runs on 127.0.0.1:8787 and that you control it. The script defaults to that host, but it will honor a GMAIL_BRIDGE_URL environment variable (not documented in SKILL.md) — ensure no unexpected env var points the skill at a remote host. - The SKILL.md shows a 'forward' command example, but run.sh does not implement a forward case. Expect some documentation/code mismatch and test behavior first. - If your bridge enforces a secret header, set BRIDGE_SECRET locally; otherwise do not export secrets globally. Prefer setting BRIDGE_SECRET only in a controlled shell/session. - Review run.sh locally (it’s short) to confirm it only calls endpoints you expect. If you don’t run a trusted local bridge, do not use this skill. If you want to proceed safely: run the script in a controlled environment, verify BASE_URL (and unset any GMAIL_BRIDGE_URL), and confirm the bridge’s authentication and audit/logging before exposing real mail or files.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk971x3sdmyfntj4bgnycgm1v5n826b2w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis
Binscurl, jq

SKILL.md

gmail-bridge

Use this skill whenever the user asks about:

  • latest emails / unread emails / email search
  • reading a specific email
  • searching Google Drive files
  • reading/writing Google Sheets ranges
  • checking calendar events or creating events

IMPORTANT BEHAVIOR RULES (for a good assistant experience)

  • Do NOT return Gmail message IDs alone unless the user explicitly asks.
  • For “check my latest email(s)”, return a short list of the latest 5–10 items with: Subject, From, Date, Snippet
  • If the user asks “open email #3” or similar, call get on that message ID and summarize.
  • For Sheets/Drive/Calendar, always show a concise summary and ask a follow-up only when an ID/range/time window is missing.

How to use

Gmail

  1. Latest emails (returns summaries):
  • bash run.sh recent 10
  1. Unread emails:
  • bash run.sh unread 10
  1. Search emails (Gmail query syntax):
  • bash run.sh search "from:amazon subject:invoice" 10
  1. Forward an email to a specific address:
  • bash run.sh forward <messageId> <emailAddress>
  • For example: bash run.sh forward 19c647bc33f89bdd christopher.tock@gmail.com
  1. Email details:
  • bash run.sh get <messageId> metadata
  • formats: metadata (default), full, raw

Gmail

  1. Latest emails (returns summaries):
  • bash run.sh recent 10
  1. Unread emails:
  • bash run.sh unread 10
  1. Search emails (Gmail query syntax):
  • bash run.sh search "from:amazon subject:invoice" 10
  1. Email details:
  • bash run.sh get <messageId> metadata
  • formats: metadata (default), full, raw

Drive

  1. Search files (Drive query language):
  • bash run.sh drive-search "name contains 'FutureReady'" 10
  1. Get file metadata:
  • bash run.sh drive-file <fileId>

Sheets

  1. Read a range:
  • bash run.sh sheets-get <spreadsheetId> "Sheet1!A1:D20"
  1. Write values:
  • bash run.sh sheets-set <spreadsheetId> "Sheet1!A1:B2" '[[\"A1\",\"B1\"],[\"A2\",\"B2\"]]'

Calendar

  1. List events:
  • bash run.sh cal-events 10 2026-02-01T00:00:00Z 2026-03-01T00:00:00Z primary
  1. Create an event:
  • bash run.sh cal-create "Workshop" 2026-02-20T02:00:00Z 2026-02-20T03:00:00Z primary "Bangi" "Prep session"

Auth / Security

  • This skill calls a local bridge on 127.0.0.1. If the bridge enforces a secret header, set: export BRIDGE_SECRET="..." before running commands.
  • The bridge uses OAuth tokens stored on the server.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…