Gmail Lead Monitor
v1.0.0Monitor a Gmail inbox for new emails matching keywords and send real-time Telegram alerts while starring important messages in Gmail.
⭐ 0· 78·0 current·0 all-time
byMike@themsquared
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Gmail -> Telegram alerts, star Gmail messages) matches the implementation: code connects to imap.gmail.com, logs in with an app password, searches UNSEEN messages, stars matches, and posts to the official Telegram API. No unrelated services or credentials are requested.
Instruction Scope
SKILL.md instructs creating a local config file with email/app password/telegram token/chat id and running the provided script. The code reads only that config path (~/.config/gmail_monitor/config.json), writes a seen_ids state file in the same directory, and does IMAP/HTTP calls appropriate to the task. It does not access other system paths, call arbitrary endpoints, or perform actions outside the stated scope.
Install Mechanism
There is no install spec and no downloads; the skill is instruction-only with a single Python stdlib script. Nothing is written to disk by an installer beyond the user-created config and the provided script.
Credentials
No platform environment variables are required (credentials are stored in a local config file), which is consistent with the SKILL.md. However, the skill requires sensitive secrets (Gmail app password and Telegram bot token/chat id) stored in plaintext in ~/.config/gmail_monitor/config.json — this is functionally necessary but has security implications the user should consider.
Persistence & Privilege
The skill does not request always:true and has no special platform privileges. Running it as a daemon or via cron is up to the user; the script maintains only its own seen-state file and does not modify other skill or system configurations.
Assessment
This skill appears to do exactly what it says, but it requires you to store sensitive credentials (Gmail App Password and Telegram bot token) in a local config file. Before installing, consider: 1) Only use a Gmail App Password (not your primary account password) and enable 2FA; rotate the app password if you stop using the tool. 2) Restrict the config file permissions (chmod 600 ~/.config/gmail_monitor/config.json and the seen_ids file) so other users on the system cannot read them. 3) Review the full script yourself or run it in a restricted environment (container or isolated VM) if you don't trust the unknown source. 4) Prefer running via cron/one-shot if you don't want a long-running daemon that keeps credentials on disk. 5) If you need stronger protection, integrate secrets with an OS keyring or secret manager rather than storing plaintext. Finally, verify the code you install matches the version you reviewed (source is unknown).Like a lobster shell, security has layers — review code before you run it.
automationvk974yhwz42jgcge1nac0nktp1n83dvpjemailvk974yhwz42jgcge1nac0nktp1n83dvpjgmailvk974yhwz42jgcge1nac0nktp1n83dvpjlatestvk974yhwz42jgcge1nac0nktp1n83dvpjleadsvk974yhwz42jgcge1nac0nktp1n83dvpjmonitoringvk974yhwz42jgcge1nac0nktp1n83dvpjtelegramvk974yhwz42jgcge1nac0nktp1n83dvpj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.