Skillv1.0.0

ClawScan security

Gmail Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 4:02 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it claims (talk to a local Gmail/Drive/Sheets/Calendar bridge) but contains inconsistencies and undocumented behavior that could cause data to be sent somewhere other than the local bridge — review before use.
Guidance: This skill is close to benign but has a few red flags you should address before installing or using it: - Confirm the bridge really runs on 127.0.0.1:8787 and that you control it. The script defaults to that host, but it will honor a GMAIL_BRIDGE_URL environment variable (not documented in SKILL.md) — ensure no unexpected env var points the skill at a remote host. - The SKILL.md shows a 'forward' command example, but run.sh does not implement a forward case. Expect some documentation/code mismatch and test behavior first. - If your bridge enforces a secret header, set BRIDGE_SECRET locally; otherwise do not export secrets globally. Prefer setting BRIDGE_SECRET only in a controlled shell/session. - Review run.sh locally (it’s short) to confirm it only calls endpoints you expect. If you don’t run a trusted local bridge, do not use this skill. If you want to proceed safely: run the script in a controlled environment, verify BASE_URL (and unset any GMAIL_BRIDGE_URL), and confirm the bridge’s authentication and audit/logging before exposing real mail or files.

Review Dimensions

Purpose & Capability: okName/description (local Google Workspace bridge) align with the provided script and examples. Required binaries (curl, jq) are reasonable for an HTTP-to-jq CLI wrapper. There are no excessive permissions or unrelated credentials requested.
Instruction Scope: concernSKILL.md and run.sh mostly match for read/list/get operations, but SKILL.md documents a 'forward' command and duplicates some sections while run.sh has no 'forward' case — mismatch. SKILL.md states the bridge is at http://127.0.0.1:8787, but the script reads GMAIL_BRIDGE_URL to override the base URL (the SKILL.md documents BRIDGE_SECRET but not GMAIL_BRIDGE_URL). That means the tool can be pointed at a remote endpoint via an environment variable not called out in the README, creating a risk that email/content could be sent off-machine if GMAIL_BRIDGE_URL is set.
Install Mechanism: okInstruction-only with a small shell script; there is no install spec or external downloads, so nothing is written to disk beyond the shipped run.sh.
Credentials: concernSKILL.md documents an optional BRIDGE_SECRET env var (reasonable). However, the script also honors GMAIL_BRIDGE_URL and GMAIL_BRIDGE_URL is not documented in SKILL.md; the skill declares no required env vars but will act on that undocumented variable. An attacker or misconfiguration that sets GMAIL_BRIDGE_URL could redirect data to a non-local host. No other credentials are requested.
Persistence & Privilege: okThe skill is not always-on, has no install steps that modify system or other skills, and does not request persistent privileges. Model invocation is allowed (default) which is normal for skills.