Is coenenp/gmail-label-manager safe?

The script's send_telegram() function uses curl to POST email body previews, sender information, subjects, and classified content to https://api.telegram.org. This occurs for every processed email across all handler functions (financial, medical, school, family, security). The TELEGRAM_BOT_TOKEN and TELEGRAM_CHAT_ID are configurable, but the SKILL.md never discloses this behavior. Any user who installs this skill or is given a pre-configured bot token controlled by an attacker will have their inbox content continuously exfiltrated.

add_calendar_event() constructs a shell command string by interpolating email-derived variables (event title from subject line, date from email body) directly into a string that is then passed to eval. An attacker can send a crafted email whose subject or body contains shell metacharacters to execute arbitrary commands on the host system with the agent's user privileges.

The skill explicitly classifies security_alert, password_reset, and login_notification email patterns at HIGH/CRITICAL priority and forwards their content to Telegram. This means password reset links, 2FA codes embedded in emails, new-login alerts, and suspicious activity notifications are all exfiltrated in real-time to an external messaging service — enabling trivial account takeover by any party who can observe the Telegram chat.

Card transaction details (card last four digits, merchant, amount), bank transfer recipients and account numbers, payment receipts, and invoices are all extracted from email content and forwarded to Telegram with HIGH priority. This creates a real-time financial surveillance channel.

Lab results, surgery schedules, hospital bills, prescriptions, and insurance pre-approvals are classified as CRITICAL and forwarded to Telegram. Medical data is among the most sensitive personal information and should never be routed through third-party messaging services.

The combined functionality — reading emails, classifying them, extracting sensitive fields, and forwarding to an external service — constitutes an email surveillance relay regardless of user intent. If Telegram credentials are attacker-provided, user-supplied but later compromised, or the Telegram channel is monitored, a complete picture of the user's financial, medical, family, and security communications is available to the attacker in real-time.

School attendance records, discipline notifications, grade reports, and parent-teacher conference details — including child names — are forwarded to Telegram at CRITICAL priority. This exposes sensitive minor-related data to an external third-party service.

SKILL.md markets the skill as a Gmail label organizer but omits any mention of Telegram notifications, external API calls, or email content forwarding. A user reading the skill description has no basis to consent to their email data being transmitted to external services. This omission could be considered a social engineering vector targeting user trust.

extract_amount() references $amount before it is declared or assigned. The first grep -oP block checks 'if [ -z "$amount" ]' but $amount has not been initialized with a local declaration, meaning it inherits from the calling scope or is empty. This can cause garbled Telegram messages or, in edge cases, inject unexpected values into curl data arguments.

script.sh contains hardcoded references to specific institutions (BNH Hospital, Samitivej, Coupang WOW, DOSZ health insurance, RSZ/ONSS social security, ManageBac school portal) and family demographics suggesting it was built for a specific individual's inbox. Distributing this via a marketplace to unrelated users means the patterns will not match, but the Telegram exfiltration and eval injection still execute.

The skill was cloned exclusively from the legitimate openclaw/skills.git GitHub repository (140.82.112.3). No additional repositories, package managers, or external URLs were fetched during installation. Sparse checkout was used correctly.