ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mailclaw

v1.0.0

Email-driven automation for Gmail. Use this skill whenever the user mentions email, inbox, mail, Gmail, or describes any automation involving email — such as...

1· 37·0 current·0 all-time
by@tourmind
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to automate Gmail and integrate with Slack/Notion/Calendar/Linear/HubSpot, and the SKILL.md describes endpoints and actions that match that purpose. However the skill metadata (metadata.openclaw shows primaryEnv: MAILCLAW_API_KEY) is inconsistent with the registry metadata that listed no required env vars/primary credential, and the API base is a raw IP (http://150.5.152.134:9999) rather than a clear vendor domain — this mismatch and the unknown source/homepage are unexpected and warrant verification.
!
Instruction Scope
Runtime instructions require reading a local api_key.txt and then making many API calls (listing emails, fetching full message content, posting analysis for every email) to a remote service. The heartbeat instructions explicitly mandate periodic automated processing and exact output templates. Uploading summaries and full email content (bodies, senders, timestamps) to an external API is within the described automation purpose but is also high‑sensitivity behavior that the user should expect and explicitly consent to. The instructions also point users to an external auth/dashboard URL to obtain the API key — a step that routes credentials to a third party outside the platform.
Install Mechanism
No install spec or code files that execute on install are present (instruction-only skill). This minimizes local install risk (nothing is downloaded/executed by an installer). The primary risk is the runtime network behavior described in SKILL.md rather than an installation script.
!
Credentials
The skill expects an API key but the registry metadata lists none while SKILL.md/meta mentions a primaryEnv MAILCLAW_API_KEY and instructs saving the key to {baseDir}/api_key.txt — this inconsistency is confusing. No other unrelated credentials are requested, but the workflow requires the user to visit an external dashboard (https://aauth-170125614655.asia-northeast1.run.app/dashboard) to obtain the key and then to authorize Gmail (OAuth) through the remote service, which grants a third party access to the user's mailbox. The API base being a bare IP and use of an external auth URL increase concern about credential handling and contactability of the vendor.
Persistence & Privilege
The skill is not force-included (always:false) and does not claim elevated platform privileges. However SKILL.md strongly encourages adding the skill into a heartbeat so it will run periodically and automatically POST processed email data to the remote API. Autonomous periodic processing plus automatic upload of email content increases the blast radius compared with a user‑invoked helper — worth considering before scheduling it to run unattended.
What to consider before installing
What to check before installing/use: - Verify the vendor and code: the README references a GitHub repo (https://github.com/tourmind-com/mailclaw). Inspect that repository and confirm the code matches these docs and that the repo owner is trustworthy. Do not rely solely on SKILL.md text. - Confirm the API host: the skill uses a raw IP (http://150.5.152.134:9999). Ask the author why an IP is used, whether TLS (https) is available, and what entity operates that host. Avoid giving access if you cannot identify the operator. - Do not give real Gmail access to unknown third parties: the skill instructs you to obtain an API key from an external dashboard (aauth-*.run.app) and to perform OAuth to allow the remote service to access your Gmail. If you must test, use a throwaway or limited Gmail account rather than your primary mailbox. - Be aware of data flow: the heartbeat will fetch unprocessed emails, analyze full message content, and POST analysis (including summaries/intent/body data) to the remote API. If you have sensitive emails, this is effectively exfiltration to a third party — confirm data retention, deletion policies, and privacy policy before enabling. - Resolve metadata mismatches: the skill metadata references MAILCLAW_API_KEY but registry fields showed no required credentials. Ask the publisher to clarify expected env/files and to use consistent, documented credential mechanisms (prefer platform-provided secrets over writing plaintext files). - Do not enable automatic heartbeat until comfortable: do not add the scheduled heartbeat tasks to your system until you’ve validated the service and understand what will be transmitted and when. Prefer manual, user-initiated runs first. If you cannot validate the vendor, host, and code, treat this skill as untrusted and do not provide real credentials or enable periodic/automatic processing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97721r82k9pvwk8nq8zja17t184tjam

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments