gmail-checker Security Report — Low Risk | ClawSafe

20 /100

gmail-checker

Check Gmail for unread inbox emails, filtered by priority

Gmail checker skill with legitimate OAuth 2.0 implementation but undeclared filesystem WRITE and network access in SKILL.md.

Skill Namegmail-checker

Duration32.4s

Enginepi

✓

Safe to install

Add allowed-tools mapping to SKILL.md declaring filesystem:READ/WRITE (for credential paths) and network:READ (for Gmail API). Declare subprocess usage for python3 execution.

Findings 4 items

Severity	Finding	Location
Low	Missing allowed-tools mapping SKILL.md does not declare allowed-tools mapping despite using filesystem writes and network access `No allowed-tools declaration present` → Add allowed-tools mapping: Read→filesystem:READ, Write→filesystem:WRITE, WebFetch→network:READ	`SKILL.md:1`
Low	Undeclared filesystem WRITE access setup_gmail.py creates ~/.openclaw/credentials/ directory and writes gmail.json. This is necessary for credential storage but undeclared. `os.makedirs(CREDS_DIR, exist_ok=True)` → Document filesystem WRITE access in SKILL.md for credential storage paths	`scripts/setup_gmail.py:47`
Info	Proper credential file permissions setup_gmail.py sets correct file permissions (0o600) for stored credentials `os.chmod(CREDS_PATH, 0o600)` → No action needed - this is good security practice	`scripts/setup_gmail.py:48`
Info	Standard OAuth 2.0 implementation Uses google-auth-oauthlib with proper InstalledAppFlow, refresh tokens, and no secret storage issues `flow = InstalledAppFlow.from_client_config(client_config, SCOPES)` → No action needed - this is the correct approach	`scripts/setup_gmail.py:60`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	scripts/setup_gmail.py:47 - os.makedirs(CREDS_DIR, exist_ok=True)
Network	`NONE`	`READ`	✗ Violation	scripts/check_gmail.py:55-60 - Gmail API calls to googleapis.com
Shell	`NONE`	`NONE`	—	SKILL.md references pip install and python3 execution

4 findings

🔗

Medium External URL 外部 URL

https://console.cloud.google.com/

references/setup.md:21

🔗

Medium External URL 外部 URL

https://accounts.google.com/o/oauth2/auth

scripts/setup_gmail.py:60

📧

Info Email 邮箱地址

[email protected]

SKILL.md:65

📧

Info Email 邮箱地址

[email protected]

SKILL.md:69

File Tree

5 files · 14.4 KB · 480 lines

Python 2f · 295L Markdown 2f · 165L JSON 1f · 20L

├─ ▾ 📁 references

│ └─ 📝 setup.md Markdown 77L · 3.0 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 check_gmail.py Python 191L · 5.7 KB

│ └─ 🐍 setup_gmail.py Python 104L · 3.0 KB

├─ 📋 config.example.json JSON 20L · 343 B

└─ 📝 SKILL.md Markdown 88L · 2.4 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`google-api-python-client`	`not pinned`	pip	No	Version not pinned in documentation
`google-auth-oauthlib`	`not pinned`	pip	No	Version not pinned in documentation

Security Positives

✓ No base64, eval(), or obfuscated code patterns

✓ No credential exfiltration - credentials stay local in ~/.openclaw/credentials/

✓ No sensitive path access (no ~/.ssh, ~/.aws, .env enumeration)

✓ No reverse shell, C2, or data theft indicators

✓ Proper file permissions (0o600) on credential files

✓ Standard OAuth 2.0 flow with Google APIs

✓ Uses well-known, trusted Google API client libraries

✓ Input validation on OAuth client credentials

✓ Clear, accurate documentation of functionality

Scan Report

Findings 4 items

File Tree

Dependencies 2 items

Security Positives