Gog.Local.Backup

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Google Workspace CLI helper, but it should be installed only by users who intend to grant OAuth access to their Google account.

Install only if you want a local CLI or agent to access the selected Google Workspace services. Authorize only the services you need, keep the OAuth client JSON and cached tokens private, verify the Homebrew package source, and require explicit confirmation before sending email or changing Google data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to provide an OAuth client secret file but gives no warning that this file is sensitive, should be stored securely, and must not be committed, shared, or pasted into logs. In an agent/CLI skill context, omitting secret-handling guidance increases the chance of credential exposure and misuse of Google Workspace access.

Credential Access

High

Category: Privilege Escalation
Content: Use `gog` for Gmail/Calendar/Drive/Contacts/Sheets/Docs. Requires OAuth setup. Setup (once) - `gog auth credentials /path/to/client_secret.json` - `gog auth add you@gmail.com --services gmail,calendar,drive,contacts,sheets,docs` - `gog auth list`
Confidence: 89% confidence
Finding: secret.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal