Gmail (tc)
AdvisoryAudited by Static analysis on May 11, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe this is an official Google-published skill and provide sensitive Gmail access without verifying the publisher.
The skill presents Google as the author, while the supplied registry context lists an unknown source and no homepage. Because the skill asks for Gmail OAuth credentials, an unverified official-looking authorship claim could cause users to over-trust it.
author: Google author-url: https://developers.google.com/gmail/api
Verify the publisher independently before installing. The skill should clearly state whether it is unofficial and avoid using Google as the skill author unless that provenance is verified.
If an agent invokes these actions too freely, it could send unintended emails, attach the wrong file, or change mailbox state.
The skill documents actions that can send external email with local attachments and modify mailbox labels, but does not include user-confirmation, recipient/file review, or mutation-scope safeguards.
"tool": "gmail_send" ... "attachments": ["/workspace/documents/agenda.pdf"] ... "tool": "gmail_modify_labels"
Require explicit user confirmation before sending email, adding attachments, creating drafts, or modifying labels; show recipients, subject, body, attachments, and mailbox changes before execution.
Anyone with access to these environment variables may be able to use the connected Gmail account according to the granted OAuth scopes.
The Gmail OAuth client secret and refresh token are expected for Gmail API access, but they are sensitive long-lived credentials and the registry metadata does not declare required env vars or a primary credential.
"env": ["GMAIL_CLIENT_ID", "GMAIL_CLIENT_SECRET", "GMAIL_REFRESH_TOKEN"]
Use a dedicated OAuth client, grant the minimum Gmail scopes needed, keep the refresh token out of logs and shared workspaces, and revoke it when no longer needed.
The reviewed artifacts do not show what code would actually call Gmail or how dependencies would be installed.
The skill references external Python packages, but the provided artifact set has no install spec, lockfile, or code to inspect. This is not suspicious by itself, but limits review of the actual runtime implementation.
"python_packages": ["google-api-python-client", "google-auth-httplib2", "google-auth-oauthlib"]
Install only from a trusted package source, pin dependency versions where possible, and inspect any runtime code before granting Gmail credentials.