Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Email Automation
v1.1.0Automate email triage, categorize, draft replies, and auto-archive in Gmail, Outlook, or IMAP to maintain an organized, efficient inbox.
⭐ 0· 756·10 current·10 all-time
by@fly3094
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md claims full integration with Gmail, Outlook, and IMAP and shows setup steps for OAuth tokens/credentials, which is appropriate for an email automation tool. However, the registry metadata lists no required environment variables or primary credential, and the included Python script does not implement any provider connectors—it only simulates fetching emails. Requesting OAuth tokens/IMAP passwords in the docs without corresponding code to use them is inconsistent.
Instruction Scope
The runtime instructions and config block instruct users to set sensitive environment variables (GMAIL_CREDENTIALS_FILE, OUTLOOK_ACCESS_TOKEN, IMAP_PASSWORD) and walk through setup steps for real API access. The script (scripts/email_processor.py) does not read or use those provider-specific variables and operates entirely on a simulated email list, which means the instructions promise behavior the code does not perform. That gap could mislead users into providing credentials unnecessarily.
Install Mechanism
There is no install spec and only a small, included Python script; nothing is downloaded or extracted from external URLs. Risk from installation mechanism itself is low.
Credentials
The SKILL.md asks for multiple sensitive environment values (OAuth credentials, access tokens, IMAP password) that are proportional to real email automation. However, those variables are not declared in the registry metadata and are not used by the shipped script. Asking for credentials that the packaged code doesn't use is disproportionate and potentially dangerous if a user supplies them.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or system-wide settings. It writes its own data to a local directory ('.email-automation' or EMAIL_AUTOMATION_DATA_DIR), which is normal for a local tool.
What to consider before installing
Do not supply real access tokens, passwords, or OAuth credentials to this skill yet. The documentation asks for Gmail/Outlook/IMAP credentials, but the included script only simulates email processing and does not use those credentials—this is an inconsistency that should be resolved. Before installing or providing secrets: 1) Ask the author for a clear explanation or an updated release that actually implements provider connectors; 2) Request the exact code paths that will handle tokens and network calls and verify they use secure OAuth flows and least privilege; 3) If you want to test real email integration, do so with a throwaway account and short-lived tokens; 4) Prefer skills that declare required env vars/primary credential in registry metadata and have visible, audited connector code that performs network requests to official provider endpoints. The publisher is unknown and there is no homepage—treat this package as prototype/demo until the above questions are answered.Like a lobster shell, security has layers — review code before you run it.
aivk974pa9m3ds3zhk1pv8xdqs8a182fbmzautomationvk974pa9m3ds3zhk1pv8xdqs8a182fbmzemailvk974pa9m3ds3zhk1pv8xdqs8a182fbmzgmailvk974pa9m3ds3zhk1pv8xdqs8a182fbmzinboxvk974pa9m3ds3zhk1pv8xdqs8a182fbmzlatestvk9701p4wfsweg22t0vvg370h4x84t2tkoutlookvk974pa9m3ds3zhk1pv8xdqs8a182fbmzproductivityvk974pa9m3ds3zhk1pv8xdqs8a182fbmz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.