Fetch and extract ride-sharing receipts from Gmail locally using OpenClaw to analyze ride patterns and create anonymized shareable reports.
Security Analysis
high confidenceThe skill's files, instructions, and requested environment variables match its stated purpose (fetch Gmail receipts locally, send them to a local OpenClaw Gateway for extraction, store results locally), and there are no obvious mismatches or hidden exfiltration paths.
The skill is designed to fetch Gmail ride receipts and extract structured rides via a local OpenClaw Gateway. Requiring the gog CLI (for Gmail access) and python3 is consistent with the implementation. The declared env vars (OPENCLAW_GATEWAY_TOKEN, OPENCLAW_GATEWAY_URL, OPENCLAW_GATEWAY_MODEL) are directly used for the local Gateway calls.
Runtime instructions and code consistently: (1) call gog to list/fetch Gmail messages, (2) write raw fetched receipts to data/ride-insights/emails.json, (3) POST the raw email JSON (including HTML) to the local Gateway /v1/responses endpoint, and (4) store normalized output locally. The skill enforces that the Gateway host must be local (localhost/127.0.0.1/::1) and requires explicit user consent before extraction. Note: the code and SKILL.md reference a fallback config file (~/.openclaw/openclaw.json) for the gateway token; this file access is documented in the SKILL.md but is not listed in the registry's required config paths.
No install spec — instruction-only with bundled scripts. Nothing is downloaded from external URLs or installed automatically. Risk is limited to execution of included Python scripts and reliance on the already-installed gog CLI.
Requested env vars (gateway token, URL, model) are appropriate for contacting a local OpenClaw Gateway. The skill also reads ~/.openclaw/openclaw.json as a documented legacy fallback for the token; that file can contain sensitive credentials and is not declared as a required config path in registry metadata (the SKILL.md does document the fallback). The skill does not request unrelated third-party credentials.
The skill does not request always:true and does not modify other skills or system-wide settings. It writes local artifacts under data/ride-insights and creates/initializes a local SQLite DB — behavior that matches its purpose. Note that autonomous invocation is enabled by default on the platform; if you do not want the agent to fetch emails automatically, disable autonomous invocation at the agent level.
Guidance
This skill appears internally consistent, but it processes highly sensitive data (full receipt HTML and message metadata). Before installing or running it: (1) ensure you run a trusted local OpenClaw Gateway and set OPENCLAW_GATEWAY_URL to localhost/127.0.0.1/::1 only (the code refuses non-local hosts), (2) verify where your gateway token is stored — either in env OPENCLAW_GATEWAY_TOKEN or in ~/.openclaw/openclaw.json — and be comfortable with that file containing a token, (3) ensure your gog CLI is properly authenticated for the Gmail account you intend to use and review gog permissions, (4) confirm the skill with the user before extraction (SKILL.md requires explicit consent), (5) treat data/ride-insights/emails.json as sensitive and delete it when no longer needed, and (6) if you do not want the agent to autonomously access Gmail, disable or gate autonomous invocation at the agent level. Overall the skill's actions align with its description — the main risk is handling of sensitive emails, not covert exfiltration or unrelated credential access.
Latest Release
v0.1.0
Initial public release with privacy-first, local-only ride receipt processing and insights. - Fetches ride receipt emails from Gmail using the gog CLI and stores them in local JSON. - Extracts structured ride data from receipts via a local OpenClaw Gateway (localhost only; no remote processing). - Loads extracted rides into a local SQLite database for further analysis. - Generates behavioral and spending insights based on extracted ride history. - Exports an anonymized, DataHive-ready CSV for safe sharing and DataHive AI mission participation. - Supports Uber, Bolt, Lyft, Yandex, Free Now, Curb, and Via.
Popular Skills
Published by @datahiveai on ClawHub
