ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mail Summary

v1.1.6

Fetch Gmail emails from the last 24h, rank by importance, summarize into bullet points, and auto-create Google Calendar events for detected meetings.

0· 128·0 current·0 all-time
by@russidan-nadee

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for russidan-nadee/mail-summary.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Mail Summary" (russidan-nadee/mail-summary) from ClawHub.
Skill page: https://clawhub.ai/russidan-nadee/mail-summary
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install mail-summary

ClawHub CLI

Package manager switcher

npx clawhub@latest install mail-summary
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code files implement exactly what the description promises: reading Gmail (readonly), summarizing, detecting meetings, and creating Calendar events. The requested Google OAuth credentials and token storage are consistent with that purpose.
!
Instruction Scope
Agent instructions require the agent to write the user's client_secret JSON to disk and run multiple scripts itself (setup_auth.py, fetch_emails.py, etc.). This is expected for OAuth, but the SKILL.md / agent instructions say to write the client_secret file to the project root while the code (find_credentials_file) looks in ~/.openclaw/config/mail-summary — a direct inconsistency that will break the flow unless the agent moves files. The setup process also tells the agent to print auth URLs and accept the redirect URL from the user (normal OAuth), but instructing the agent to write sensitive client secrets to disk should be done deliberately and with the correct target path.
Install Mechanism
No install spec (instruction-only), so nothing is downloaded automatically. Code will be executed by the agent from the skill folder. Note: requirements.txt does not include 'psutil', but several scripts import or require psutil (refresh_service.py), so the provided dependency list is incomplete and will cause runtime errors unless corrected.
Credentials
No environment variables or unrelated credentials are requested; instead the skill uses OAuth client secrets and token.json which is appropriate for Gmail/Calendar access. The code stores tokens under ~/.openclaw/config/mail-summary which is reasonable but does give the skill persistent access to a filesystem location under the user's home — verify permissions and trust for stored tokens.
!
Persistence & Privilege
The skill attempts to start a long-running refresh_service that refreshes OAuth tokens every 30 minutes. setup_auth.py tries to auto-run refresh_service.py after auth using subprocess.run (blocking call) — this is likely to hang the auth script because refresh_service loops forever. The skill will create persistent artifacts (token.json, lock file) and may spawn a background process; this elevated persistence should be expected and authorized explicitly by the user.
What to consider before installing
This skill appears to implement the advertised Gmail summary + calendar creation, but it has several implementation problems and some persistence behavior you should be aware of: - Credential placement mismatch: The SKILL.md / agent instructions tell the agent to save the user-provided client_secret_*.json in the project root, but the code's find_credentials_file() looks in ~/.openclaw/config/mail-summary. Confirm where the agent will place the file (preferably ~/.openclaw/config/mail-summary) or update the code/instructions before running. - Sensitive files written to disk: The agent is instructed to write the user-provided client_secret file and the resulting token.json to disk. Only proceed if you trust the skill/source and you understand these files grant access to your Gmail and Calendar (scopes: gmail.readonly and calendar.events). - Missing dependency: refresh_service.py uses psutil but requirements.txt does not list it. Install psutil (pip install psutil) or add it to requirements.txt to avoid runtime failure. - Blocking auto-run of refresh service: setup_auth.py attempts to run refresh_service.py with subprocess.run, which will block because refresh_service loops forever. This will likely hang the auth process. Instead, run refresh_service.py in the background yourself (e.g., nohup/pythonw, systemd, or use subprocess.Popen), or modify setup_auth.py to spawn it as a daemon. - Persistence and cleanup: The skill creates ~/.openclaw/config/mail-summary/token.json and a refresh_service.lock file in the scripts folder. If you later uninstall, remove these files and stop the background process to revoke persistent access. - Source trust: The skill's Homepage is missing and the repository is unknown; because the skill will receive OAuth credentials and store tokens locally, only install if you trust the code. Review the scripts locally or run them in an isolated environment before granting access. If you want help: I can produce a patched setup_auth.py that launches refresh_service.py in the background safely, update instructions to use the CREDENTIALS_DIR path, and add psutil to requirements.txt so installation works as intended.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e9ebgafzc3z5yb7etx6yan983mfgq
128downloads
0stars
5versions
Updated 1mo ago
v1.1.6
MIT-0
@russidan-nadee
latest
Download

name: mail-summary description: Fetch Gmail emails from the last 24h, rank by importance, summarize into bullet points, and auto-create Google Calendar events for detected meetings.

Email & Calendar Assistant Skill

Description

This skill reads Gmail emails, ranks them by importance, summarizes each email into bullet points, and creates Google Calendar events if an email contains a meeting or interview that is not already on the calendar.

Capabilities

  • Read emails (read-only)
  • Rank emails by importance
  • Summarize emails into bullet points
  • Detect meeting/interview emails
  • Create Google Calendar events (only when not already added)
  • Auto-refreshes Google OAuth token as needed for uninterrupted access.

Installation

Via ClawHub (recommended):

clawhub install mail-summary

Manual:

git clone https://github.com/Russidan-Nadee/mail-summary.git ~/.openclaw/workspace/skills/mail-summary

Setup Instructions (First-Time Only)

Step 1 — Get Google API credentials

  1. Go to Google Cloud Console
  2. Create a new project (or select existing one)
  3. In the left sidebar, go to APIs & Services → click Enable APIs and Services
  4. Search and enable each of the following:
    • Gmail API
    • Google Calendar API
  5. In the left sidebar, go to APIs & Services → OAuth consent screen
    • Click Get Started
    • Fill in App name and User support email → click Save and Continue
    • Under Audience → click Add Users → add your Google email → click Save
  6. In the left sidebar, go to APIs & Services → Credentials
  7. Click Create Credentials → OAuth client ID
  8. Under Application type select Desktop app
  9. Give it a name (e.g. Mail Summary) → click Create
  10. Click Download JSON → you'll get a file named client_secret_*.json

Step 2 — Connect to the agent

  1. Send the client_secret_*.json file to the agent as an attachment
    • Via Telegram: send as a file (not photo) in your Clawdbot chat
    • Via Claude Desktop: drag and drop the file into the chat
    • Via other platforms: attach the file the same way you attach any document
  2. The agent will print an authorization URL — click it to open in your browser
  3. Log in with your Google account and click Allow
  4. Your browser will redirect to a localhost page showing an error — this is normal
  5. Copy the full URL from your browser address bar (starts with http://localhost/?...)
  6. Paste that URL back to the agent

Step 3 — Done!

The agent will confirm: "Auth complete. I can now access your Gmail and Google Calendar."

From now on just say: "Summarize today's important emails"

Configuration

This skill uses a config.yaml file in the project root for runtime configuration. You can edit this file to control timezone, retry behavior, and logging level.

Example config.yaml:

timezone: Asia/Bangkok    # Timezone for calendar events (e.g. Asia/Bangkok, UTC, Asia/Tokyo)
max_retries: 5            # Max retry attempts for authentication and API calls
log_level: INFO           # Logging level: DEBUG, INFO, WARNING, ERROR, CRITICAL

Agent Instructions

See agent/instructions.md for full agent instructions (commands, auth setup, behavior).

Comments

Loading comments...