Skillv2.0.0

ClawScan security

PayLessTax Email Campaign · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 6:43 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions require sensitive Gmail service-account credentials and reference a secrets path, but the registry metadata does not declare these requirements — the mismatch and hardcoded secret path are concerning and should be clarified before use.
Guidance: Do not install or run this skill until the following are clarified and addressed: - Confirm where and how the Gmail service-account JSON is provided. The registry says no required env vars or config paths, but SKILL.md and config/settings.json expect sensitive credentials (and settings.json contains a hardcoded secrets path). Do not supply credentials until you verify the account belongs to you and has the minimal scopes required. - Domain-wide delegation/impersonation is powerful: ensure the service account's privileges are strictly limited and audited. Prefer a dedicated mailbox and least-privilege credentials (not full domain delegation) where possible. - Ask the author to remove or parameterize the hardcoded path (/home/papawespeak/...) in config/settings.json and to declare required env vars/config in the registry metadata (GOOGLE_SERVICE_ACCOUNT, USER_EMAIL, MAILING_LIST_PATH). The registry should reflect actual runtime needs. - Confirm mailing list legality and opt-in status. This code will send high-volume email (1,000/day) — ensure compliance with anti-spam rules, organizational policy, and Gmail sending limits. Validate unsubscribe handling: current code only counts unsubscribe messages and does not automatically remove addresses from lists. - Review and test in a controlled environment with a small opt-in list before scaling. Log and monitor all sending activity and restrict who can provide credentials. If the author cannot or will not explain the credential handling and remove the hardcoded secret path, treat the skill as unsafe to install.

Review Dimensions

Purpose & Capability: noteThe declared purpose (sending 4x daily batches, tracking bounces/unsubscribes, managing Gmail via a service account) aligns with the code which sends emails via the Gmail API and uses a service account with subject impersonation. However the registry metadata lists no required credentials or config paths while SKILL.md and index.py clearly expect service-account credentials and a mailing-list file — this mismatch is unexpected and should be corrected.
Instruction Scope: concernSKILL.md instructs scraping the inbox for new contacts and managing Gmail; index.py implements inbox searches for bounces/unsubscribes but does not implement contact scraping or automatic removal of unsubscribes. The instructions also imply domain-wide delegation and inbox access; these are broad operations that give full mailbox access and should be explicitly declared and constrained.
Install Mechanism: okThere is no install spec (instruction-only + a Python file). The code imports standard Python packages (google client libs, pandas) but does not download arbitrary executables or fetch code from untrusted URLs. Risk from install mechanism itself is low, but runtime dependencies must be present in the environment.
Credentials: concernAlthough registry metadata lists no required env vars or config paths, SKILL.md documents a GOOGLE_SERVICE_ACCOUNT and the config/settings.json contains a hardcoded path to a service account file under '/home/papawespeak/.openclaw/workspace/secrets/gmail-sa.json'. The skill therefore expects access to highly sensitive Gmail service-account credentials (with gmail.modify scope and impersonation), which is proportionate to mass-emailing but must be declared and audited. The hardcoded secret path is a red flag and may expose or assume access to workspace secrets.
Persistence & Privilege: noteThe skill is not always-enabled and does not request special platform privileges. The agent may invoke the skill autonomously (default), which increases blast radius if credentials are misused — combine that with the broad Gmail credentials requirement and this is an operational concern, though autonomous invocation alone is normal.