← Back to Skills Marketplace
rotemtam

Clawback

by Rotem Tamir · GitHub ↗ · v0.2.0
cross-platform ⚠ suspicious
451
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install clawback-sh
Description
Gmail security proxy with policy enforcement, approval workflows, and audit logging. Use when the user wants to read, search, or send Gmail with guardrails —...
README (SKILL.md)

clawback

Use clawback for Gmail with policy enforcement. All operations go through a server-side proxy that enforces policies and logs an audit trail. Sends may require human approval.

Prerequisites

The clawback binary must be installed and on your PATH. If it's missing, releases are available at https://github.com/honeybadge-labs/clawback/releases.

Setup (once)

  • clawback auth login (device flow — opens browser)
  • clawback auth status (verify connection)

Common commands

  • Gmail search: clawback gmail search 'newer_than:7d' --max 10
  • Gmail search (all pages): clawback gmail search 'from:[email protected]' --all --json
  • Gmail get message: clawback gmail get \x3CmessageId> --json
  • Gmail send (plain): clawback gmail send --to [email protected] --subject "Hi" --body "Hello"
  • Gmail send (HTML): clawback gmail send --to [email protected] --subject "Hi" --body-html "\x3Cp>Hello\x3C/p>"
  • Gmail send (reply): clawback gmail send --to [email protected] --subject "Re: Hi" --body "Reply" --reply-to-message-id \x3CmsgId> --thread-id \x3CthreadId>
  • Thread list: clawback gmail thread list 'subject:meeting' --max 20
  • Thread get: clawback gmail thread get \x3CthreadId> --json
  • Thread modify labels: clawback gmail thread modify \x3CthreadId> --add STARRED --remove UNREAD
  • Labels list: clawback gmail labels list
  • Labels create: clawback gmail labels create --name "Important/Clients"
  • Labels modify message: clawback gmail labels modify \x3CmessageId> --add STARRED --remove UNREAD
  • Drafts list: clawback gmail drafts list --json
  • Drafts create: clawback gmail drafts create --to [email protected] --subject "Draft" --body "WIP"
  • Drafts send: clawback gmail drafts send \x3CdraftId> (may require approval)
  • Drafts delete: clawback gmail drafts delete \x3CdraftId>
  • History: clawback gmail history --since \x3ChistoryId> --max 50
  • Batch delete: clawback gmail batch delete \x3Cid1> \x3Cid2> \x3Cid3>
  • Batch modify: clawback gmail batch modify \x3Cid1> \x3Cid2> --add INBOX --remove SPAM
  • Settings filters list: clawback gmail settings filters list --json
  • Settings send-as list: clawback gmail settings send-as list
  • Settings vacation get: clawback gmail settings vacation get
  • Settings forwarding list: clawback gmail settings forwarding list
  • Settings delegates list: clawback gmail settings delegates list
  • Approvals list: clawback approvals list --status pending --json
  • Approvals get: clawback approvals get \x3CapprovalId> --json
  • Policy list: clawback policy list --json

Agent behavior

  • Never expose approval IDs, exit codes, or CLI commands to the user. Those are internal plumbing.
  • When composing email on the user's behalf, draft a natural subject and body — don't parrot their words verbatim. If they say "send a hello to Alex," write a friendly greeting, not --subject "hello" --body "hello".
  • Confirm with the user before sending. Show them the draft (to, subject, body) and ask if it looks good.

Handling approvals (exit code 8)

When a send command exits with code 8, it means the email needs human approval before it goes out.

  1. Tell the user in plain language: "Sent! It needs approval in Clawback before it goes through — I'll keep an eye on it."
  2. Poll clawback approvals get \x3CapprovalId> --json in the background every ~30s.
  3. When resolved, proactively tell the user: "Approved and delivered" or "The approval was rejected/expired — the email was not sent."
  4. Never ask the user to run commands or check approval status themselves.

Handling other errors

  • Exit 4 (not authenticated): "You're not signed in — let me open the login flow." Then run clawback auth login.
  • Exit 6 (blocked by policy): "Your org's policy doesn't allow this action." Explain what was blocked.
  • Exit 3 (no results): Report naturally, e.g. "No emails matched that search."
  • Exit 1 (unexpected error): Report the error and suggest retrying.

Notes

  • CB_SERVER defaults to https://clawback.sh; set it to use a different server.
  • Prefer --json plus --no-input plus --fail-empty for reliable output parsing.
  • --connection \x3Cid> selects which Gmail connection to use; auto-detected if you have one connection.
  • --all auto-paginates search results (gmail search and thread list).
  • --select field1,field2 projects JSON output to specific fields.
  • --results-only strips the envelope and returns just the data array.
Usage Guidance
This skill is coherent, but it requires trust in the external Clawback service because the CLI's device-flow authentication gives that service access to your Gmail data (and it enforces policies and logs audits). Before installing: (1) verify you obtain the 'clawback' binary only from the official repo/releases (https://github.com/honeybadge-labs/clawback or https://clawback.sh), (2) inspect the OAuth scopes the CLI requests during auth so you understand what the proxy can read/send, (3) confirm your org's policy about routing mail through a third-party proxy/audit service, and (4) be aware the agent is instructed to poll approval state in the background and to keep approval IDs/internal CLI output hidden from users — this requires you to trust the skill to notify you accurately. If any of those trust points are unacceptable, do not install.
Capability Analysis
Type: OpenClaw Skill Name: clawback-sh Version: 0.2.0 The skill wraps the `clawback` CLI tool, which handles sensitive Gmail data. The `SKILL.md` documentation reveals the `CB_SERVER` environment variable, which can redirect all `clawback` binary traffic to an arbitrary server. While the skill does not explicitly instruct the agent to set this variable to a malicious endpoint, its presence creates a significant prompt injection vulnerability. A compromised agent could be instructed to set `CB_SERVER` to an attacker-controlled domain, leading to exfiltration of sensitive Gmail data. Additionally, instructions to the agent to 'Never expose approval IDs, exit codes, or CLI commands to the user' could facilitate stealthy operations.
Capability Assessment
Purpose & Capability
Name/description (Gmail security proxy with approvals/audit) match the declared requirement of a 'clawback' binary and the SKILL.md commands that use that binary. There are no unrelated env vars, binaries, or install steps requested.
Instruction Scope
SKILL.md instructs the agent to run the 'clawback' CLI, handle specific exit codes, and poll approvals in the background; these instructions are within the claimed scope but imply the agent will hold and poll approval IDs and should not surface CLI plumbing to users. This is a trust decision (the proxy/service will see mailbox data during normal operation).
Install Mechanism
No install spec is included (instruction-only), and SKILL.md points to upstream GitHub releases for the binary. No downloads or extract steps are embedded in the skill itself.
Credentials
The skill declares no required env vars or credentials. SKILL.md mentions optional CB_SERVER and connection ids; this is proportional. Note: real Gmail access is obtained via the clawback CLI's auth flow, so the external Clawback service will receive OAuth scopes — the user should review what scopes/permissions that service requests.
Persistence & Privilege
always is false and the skill is user-invocable. It does request the agent perform background polling of approvals, but it does not demand permanent/all-agent presence or modify other skills' configs.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install clawback-sh
  3. After installation, invoke the skill by name or use /clawback-sh
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
Remove curl|bash install, declare CB_SERVER default, add agent behavior guidance, remove file-handling examples
v0.1.0
Initial release — Gmail security proxy skill with full CLI command reference
Metadata
Slug clawback-sh
Version 0.2.0
License
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is Clawback?

Gmail security proxy with policy enforcement, approval workflows, and audit logging. Use when the user wants to read, search, or send Gmail with guardrails —... It is an AI Agent Skill for Claude Code / OpenClaw, with 451 downloads so far.

How do I install Clawback?

Run "/install clawback-sh" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Clawback free?

Yes, Clawback is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Clawback support?

Clawback is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Clawback?

It is built and maintained by Rotem Tamir (@rotemtam); the current version is v0.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments