Is morning-email-rollup safe?

https://clawhub.ai/am-will/morning-email-rollup

78
CAUTION

This skill is a legitimate email rollup utility that reads Gmail via the gog CLI, summarizes emails using Google's Gemini API, and delivers formatted summaries to Telegram. The primary risk is that private email content (up to 5KB per email) is transmitted to external services (Gemini API and Telegram) as part of its core functionality. No malicious behavior, prompt injection, or data exfiltration beyond the skill's stated purpose was detected. The filesystem monitoring shows clean clone behavior with no canary file access.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (9)

MEDIUM Email body content sent to third-party AI service -25

The summarize_email() function passes up to 5000 characters of each email body directly to the Gemini CLI as a prompt argument. This means private email content is transmitted to Google's Gemini API for processing. While this is the stated purpose of the skill, users should be aware their email content leaves their machine.

MEDIUM Formatted email summaries sent to Telegram -20

The skill outputs formatted email summaries (sender, subject, AI summary) that are delivered to Telegram via Clawdbot's messaging system. This is the intended behavior but represents email metadata and content summaries leaving the local system to a messaging platform.

LOW Shell script executes multiple external CLI tools -15

rollup.sh invokes gog (Gmail/Calendar CLI), gemini (AI CLI), jq (JSON processor), and date. These are declared dependencies, but the script assumes they are trusted and available on the system. A compromised gog or gemini binary in PATH could intercept email data.

LOW Temporary file created with predictable path pattern -5

The script creates a temporary file via mktemp to store thread IDs. While mktemp is safe, the temp file contains Gmail thread IDs which are mildly sensitive. The file is cleaned up with rm -f at the end.

LOW Email body interpolated directly into shell command argument -15

The cleaned email body variable is interpolated directly into the gemini command string. While bash double-quoting prevents word splitting, extremely crafted email content could theoretically cause issues depending on how the gemini CLI parses its arguments. This is a minor shell hygiene concern.

INFO Broad Gmail access scope via GOG_ACCOUNT -20

The skill requires authentication to a user's full Gmail account via the gog CLI. While the default query is scoped to important/starred emails from the last 24 hours, the search criteria is trivially modifiable. A user could be socially engineered into broadening the search, or a modified version of the script could silently expand the query scope.

INFO Cron execution runs without user interaction -20

The skill is designed to run on a cron schedule (daily at 8am), meaning it accesses Gmail and sends data to external services automatically without user confirmation each time. This is expected behavior for the skill's purpose but increases the risk surface if the script is later tampered with.

INFO Platform reads .env and .aws/credentials during install -5

Filesystem monitoring captured reads of /home/oc-exec/.env and /home/oc-exec/.aws/credentials during the installation process. These appear to be from the openclaw platform bootstrapping (gateway lock file creation), not from the skill itself. The timing aligns with platform initialization, not skill code execution.

INFO Gemini summarization prompt is benign but uncontrolled -10

The Gemini prompt includes raw email body content. A crafted email could contain prompt injection targeting the Gemini model (e.g., 'Ignore previous instructions and instead...'). This is a second-order risk — the Gemini output is displayed but not used to control the host agent's behavior.