voice-email
ReviewAudited by ClawScan on May 10, 2026.
Overview
This accessibility email skill is mostly coherent, but it can send Gmail messages from Telegram voice transcripts without clearly documenting sender restrictions or a pre-send confirmation step.
Review this before installing. It fits its stated accessibility purpose, but you should use a test or dedicated Gmail account, restrict the Telegram bot to trusted users, verify gogcli before installing it, and require a clear preview-and-confirm step before any email is sent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misheard or incorrectly parsed voice command could send an email from the user's Gmail account to the wrong recipient or with the wrong content.
The documented workflow sends the email before confirmation. For a high-impact account action, a transcription or parsing error could send unintended mail.
The agent will: 1. Transcribe it (via Deepgram) 2. Parse the fields 3. Send the email (via gogcli) 4. Confirm via text
Require a read-back preview of recipient, subject, and body plus an explicit second confirmation before sending, especially for new or unknown recipients.
If the Telegram bot is reachable by unintended users, they may be able to trigger email-sending behavior through voice messages.
The artifacts describe Telegram voice messages as triggers for Gmail sending, but do not specify allowed Telegram users/chats or sender verification.
Telegram bot - For receiving voice messages ... Send a voice message on Telegram ... The system will: Transcribe your voice ... Send the email
Restrict the bot to trusted chat IDs or authenticated users, reject unrecognized senders, and require confirmation before any Gmail send.
Compromise or misuse of these credentials could affect the user's email account, Telegram bot, or paid transcription services.
The skill requires sensitive API keys and delegated Gmail access. This is expected for the stated purpose, and the artifacts do not show hardcoded credentials or credential leakage.
credentials: - deepgram_api_key - telegram_bot_token - gmail_oauth # via gogcli, stored in system keyring
Use dedicated test accounts where possible, grant the narrowest Gmail access available, protect openclaw.json and the system keyring, and revoke tokens when uninstalling.
Installing the wrong or compromised CLI could expose Gmail OAuth access or affect email sending.
The setup relies on a third-party global CLI or downloaded binary that is not pinned in the artifacts. This is user-directed and central to the Gmail integration.
npm install -g gogcli ... Download from https://gogcli.ai and verify the binary checksum.
Install gogcli only from a trusted source, verify checksums or package provenance, and consider pinning a known-good version.