ClawAudit verdict
gmail-secretary
The skill is designed to assist with Gmail triage and drafting replies using Haiku LLM. It does not send emails automatically and prioritizes labels over moving/deleting emails.
โ Flagged for review โ coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.
Automated static analysis โ not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
Findings (2)
Possible hardcoded credential
scripts/apply-labels.sh ยท prose ยท downgraded ยท PASSWORD="${GOG_KEYRING_PASSWORD:-openclaw}
References child_process โ can spawn system processes
scripts/apply-labels.sh ยท prose ยท downgraded ยท child_process
Permissions & capabilities
No declared permissions โ minimal attack surface.
Is this flag fair?
Thanks โ recorded.