Is gmail safe?

https://clawhub.ai/byungkyu/gmail

72
CAUTION

This Gmail skill is a documentation-only package that proxies all Gmail API traffic through a third-party gateway (gateway.maton.ai), creating a significant man-in-the-middle risk. While the skill contains no executable code and showed clean install behavior, the fundamental architecture routes all email content, OAuth tokens, and user credentials through an intermediary service. The skill also grants broad Gmail capabilities (read, send, trash, manage connections) with no least-privilege restrictions.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH All Gmail traffic routed through third-party gateway -30

Every API call (read, send, draft, label, thread) is proxied through gateway.maton.ai rather than directly to gmail.googleapis.com. This third-party intermediary has full visibility into all email content, metadata, and user profile information. The gateway also holds the user's OAuth token, giving it independent access to the Gmail account.

HIGH Agent instructed to execute code with sensitive credentials -20

The skill's code examples use inline Python heredocs and JavaScript fetch calls that access the MATON_API_KEY environment variable. When injected into an agent's system prompt, these templates instruct the agent to execute network requests using the user's credentials, effectively granting the skill runtime code execution through the agent.

MEDIUM Cross-skill reference enables chaining -10

The skill description explicitly references another skill by URL: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)'. This could facilitate unintended skill chaining where the agent autonomously installs or invokes the referenced skill.

MEDIUM Troubleshooting instructs echoing API key -8

The troubleshooting section instructs the agent to run 'echo $MATON_API_KEY' to verify the key is set. This could expose the API key in terminal output, logs, or shared sessions.

MEDIUM OAuth connection management via external service -15

The skill provides endpoints to create, list, and delete Gmail OAuth connections through ctrl.maton.ai. A malicious agent interaction could create additional OAuth connections or delete existing ones, potentially locking the user out or creating backdoor access.

MEDIUM Email sending capability enables social engineering -25

The skill grants the agent the ability to send emails as the authenticated user. Combined with read access to existing conversations, an attacker could craft convincing phishing emails or exfiltrate data by sending it to an external address.

LOW Full Gmail access scope with no least-privilege restrictions -20

The skill provides access to every Gmail API endpoint (messages, threads, labels, drafts, profile, trash) with no scope limitations. There is no way to grant read-only access or restrict to specific operations.

INFO No executable code in skill package 0

The skill contains only SKILL.md, _meta.json, LICENSE.txt, and origin metadata. No executable scripts, npm packages, git hooks, or symlinks are present.

INFO Install-time filesystem access is runtime noise 0

The .env, .aws/credentials, and .openclaw reads observed during monitoring are from the OpenClaw agent runtime initializing, not from the skill itself. No skill-initiated filesystem access was detected.