ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gmail Integration

v0.1.0

Gmail integration - Send emails, manage labels, and automate Gmail workflows with full OAuth2 support

0· 109·0 current·0 all-time
by@lukaizj

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lukaizj/lukaizj-gmail.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Gmail Integration" (lukaizj/lukaizj-gmail) from ClawHub.
Skill page: https://clawhub.ai/lukaizj/lukaizj-gmail
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: GMAIL_CLIENT_ID, GMAIL_CLIENT_SECRET
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install lukaizj-gmail

ClawHub CLI

Package manager switcher

npx clawhub@latest install lukaizj-gmail
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name/description and required env vars (GMAIL_CLIENT_ID, GMAIL_CLIENT_SECRET) match a Gmail integration. However, the code never implements an OAuth2 token exchange or attaches Authorization headers to Gmail API calls. The code also uses an incorrect endpoint string (e.g., '.../messages.send' instead of the expected '/messages/send' path), so it cannot actually call Gmail on behalf of a user. Claiming 'Full OAuth2 support' in SKILL.md is inconsistent with the code.
!
Instruction Scope
SKILL.md instructs you to create OAuth credentials and set env vars, but does not explain how the skill obtains or stores access/refresh tokens, nor how to complete the OAuth consent/redirect flow. The runtime instructions and code do not direct the agent to perform an OAuth handshake or to prompt the user for an authorization code, so runtime behavior will either fail or require ad-hoc manual steps. The instructions are therefore incomplete and grant the agent ambiguous discretion to attempt network calls without proper auth.
Install Mechanism
No install spec or external downloads are included; the skill is instruction-only with a single Python file. That minimizes install-time risk (nothing is fetched or extracted).
Credentials
Requesting GMAIL_CLIENT_ID and GMAIL_CLIENT_SECRET is reasonable for an app that performs OAuth. However, those two values alone are insufficient for API access — the code should obtain and use access tokens. There are no other environment variables or unrelated credentials requested, so the scope of requested secrets is narrow but currently misapplied.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide configuration or modify other skills. It does read environment variables at module import, which is normal for credentials.
What to consider before installing
This skill claims 'full OAuth2 support' but the code does not perform the OAuth token exchange or include Authorization headers, and it uses an incorrect API path — in short, it won't work as advertised. Before installing: (1) review or request fixes to the code so it implements the OAuth2 flow (authorization code or device flow), exchanges client_id/secret for tokens, and sends 'Authorization: Bearer <access_token>' with requests; (2) test with a throwaway Google account / limited-scope credentials, not your primary account; (3) avoid pasting production client_secret into untrusted skills — if you must provide secrets, ensure you understand where tokens are stored and whether the skill transmits them elsewhere; (4) ask the author to correct endpoint URLs and document token storage/refresh behavior. Because the pieces don't line up, treat this skill as non-functional and review or fix the implementation before giving it real credentials.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvGMAIL_CLIENT_ID, GMAIL_CLIENT_SECRET
latestvk97eet8pyezh8xwba8yvgyewkx857x55
109downloads
0stars
1versions
Updated 1w ago
v0.1.0
MIT-0
@lukaizj
latest
Download

Gmail Integration

Gmail integration skill for OpenClaw. Send emails, manage labels, and automate Gmail workflows.

Capabilities

  • Send emails via Gmail API
  • List recent emails from inbox
  • Create and manage custom labels
  • Full OAuth2 support for secure authentication

Setup

  1. Go to Google Cloud Console (https://console.cloud.google.com/)
  2. Create a new project or select existing
  3. Enable Gmail API from API Library
  4. Create OAuth 2.0 credentials:
    • Go to "Credentials" → "Create Credentials" → "OAuth client ID"
    • Application type: "Desktop app"
    • Download the JSON and get client_id and client_secret
  5. Configure environment variables

Environment Variables

VariableRequiredDescription
GMAIL_CLIENT_IDYesOAuth Client ID from Google Cloud
GMAIL_CLIENT_SECRETYesOAuth Client Secret

Usage Examples

Send an email to boss@example.com with subject "Project Update" and body "The project is complete"

List my recent emails from Gmail

Create a new label named "Projects/OpenClaw"

Message Types

  • Plain text emails
  • HTML emails (coming soon)
  • Emails with attachments (coming soon)

Rate Limits

Google Gmail API has rate limits:

  • 100:00 requests per day
  • 100 requests per second

Troubleshooting

  • "Invalid credentials": Re-check your OAuth credentials
  • "Rate limit exceeded": Wait before making more requests
  • "Account not verified": Your app needs to go through Google's verification for sensitive scopes

Comments

Loading comments...