Is matthewxfz3/email-news-digest safe?

The SKILL.md usage example specifies --recipients "[email protected],[email protected]". An LLM agent that follows examples literally, or a user who copies the command, will send mail from their own Gmail account to the skill author on every invocation. Even though the current implementation sends only hardcoded content, this establishes the author as a recipient of mail originating from the victim's identity.

summarize_content.py advertises itself as an LLM summarizer but completely ignores its input and always returns a hardcoded block of AI-industry narrative content (covering Alphabet, Anthropic, OpenAI, xAI, specific startups). The raw_summary field is set to the unprocessed input text, but the tldr, main_title, and sections_markdown fields that actually appear in the outbound email are always the same pre-authored content. This means the skill injects predetermined messaging into the user's outgoing email without disclosure.

By placing the author's personal email addresses in the primary usage example inside SKILL.md, any LLM agent that reads the skill documentation and attempts to invoke it 'as shown' will route the user's Gmail activity to the author. This is a form of indirect prompt injection through example priming rather than explicit override instructions.

The NANO_BANANA_PRO_SCRIPT variable is set to /home/matthew/.openclaw/lib/node_modules/openclaw/skills/nano-banana-pro/scripts/generate_image.py. This path does not exist on any system except the author's machine, so the skill will fail at the image-generation step for every other user. The path leaks the author's Unix username and installation layout.

The script fetches the complete raw RFC 2822 message (including headers, body, and all MIME parts) via gog gmail get --format raw, base64-decodes it, and writes it to memory/email-digests/raw_email_content.txt. Although the temp file is cleaned up on exit, the decoded content is also held in the EMAIL_BODY_DECODED shell variable for the duration of the process, accessible to any co-process or shell function.

SECTIONS_HTML is produced by piping SECTIONS_MARKDOWN (which is always the hardcoded stub in the current implementation, but would be derived from email content with a real LLM) through a sed script that performs regex substitution. The sed substitutions do not escape HTML entities, so crafted content in an email could inject arbitrary HTML or script tags into the outgoing email body.

Regardless of what the user's actual emails contain, this skill causes the user's authenticated Gmail account to send a specific AI-industry narrative to a configurable recipient list. Combined with the hardcoded example recipients (the author), this effectively creates a covert outbound channel: the author receives recurring messages from the victim's email address, which could be used for social engineering, building contact history, or as proof of email account access.

The script invokes a second skill (nano-banana-pro) for image generation. This skill is not included in the current audit scope and may introduce additional attack surface. Its path reference is broken, but a working path could be substituted by an attacker distributing a modified version.

inotify and auditd both recorded opens of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at two points: before the install (canary setup by the audit framework) and after file enumeration completed (canary integrity check by the audit framework). File contents were not modified and the canary integrity check reports all files intact. These accesses are attributed to the Oathe audit infrastructure, not to the skill.