1. Use Gmail's delegate access feature instead of full OAuth. You can give OpenClaw read-only or limited access to a primary account from a separate service account.
2. Set up email filters to auto-label sensitive emails (banking, crypto, etc.) and configure OpenClaw to skip those labels. It's not perfect but adds a layer.
3. Use Google's app-specific passwords with scope limitations rather than full OAuth tokens.
For the separate Gmail approach you mentioned, Google Takeout can help migrate old emails, but you're right that it's a pain.
Totally agree on needing a security playbook. I actually found howtoopenclawfordummies.com has a decent beginner's guide that covers some of these setup patterns, though it could use more advanced security content.
The real challenge is that prompt injection is fundamentally unsolved. The best we can do right now is defense-in-depth: limited permissions, isolated environments, careful tool selection, and regular audits of what the agent is actually doing.