ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Suite Skill

v1.0.0

Provides unified access to Gmail, Google Calendar, and Drive APIs for managing emails, calendar events, and files with OAuth2 authentication.

0· 495·1 current·1 all-time
by@cenralsolution
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's declared registry metadata lists no required environment variables or primary credential, yet SKILL.md and the code require OAuth credentials (GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET, GOOGLE_OAUTH_REDIRECT_URI). The top-level registry also described the package as instruction-only, but the bundle contains Python code and requirements — these metadata mismatches are incoherent and worth flagging. The requested credentials themselves are appropriate for a Google Suite integration, but the metadata omission is suspicious and reduces trust (source/homepage unknown).
Instruction Scope
SKILL.md instructions and the code stay within the stated scope (Gmail/Calendar/Drive operations) and describe an OAuth flow (local server + user consent). However SKILL.md asserts 'tokens are stored securely and never logged' while the implementation writes tokens to a plain JSON file (google_suite_tokens.json) in the skill folder — not encrypted. That storage behavior should be considered when trusting the skill.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but the bundle includes requirements.txt and explicit pip install instructions in SKILL.md for google-api-python-client and related libs. This is expected for a Python skill, but the absence of a declared install mechanism in the metadata is inconsistent with the provided code and requirements.
Credentials
The environment variables the skill uses (OAuth client ID, client secret, redirect URI) are appropriate and proportionate to its functionality. The scopes requested are broad (read/send/modify Gmail, calendar, full Drive) but justified by the feature set. Note: these are sensitive values; the skill stores resulting tokens as a local JSON file which should be protected (file permissions, isolated environment).
Persistence & Privilege
The skill persists OAuth tokens to google_suite_tokens.json in the skill directory so it can reuse credentials across runs. always:false and no cross-skill configuration changes are present, so privilege level is reasonable. Still, token persistence to disk is a lasting capability — ensure the file's location and permissions are acceptable for your security posture.
What to consider before installing
This skill appears to implement the advertised Gmail/Calendar/Drive features, but there are a few red flags you should consider before installing: - Metadata mismatch: The registry claims no required env vars and no install steps, but SKILL.md and the code require GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET, and GOOGLE_OAUTH_REDIRECT_URI and instruct you to pip install Google API libs. Treat the missing metadata as a packaging/quality issue and ask the publisher for clarification. - Sensitive credentials: You must provide an OAuth client ID and secret. Only supply these if you trust the publisher. The skill will launch a local OAuth flow and store tokens in google_suite_tokens.json in the skill folder (plain JSON). Ensure that file is stored in a secure/isolated environment and that file permissions prevent unauthorized access. - Broad scopes: The scopes include full Drive and Gmail modify/send access. If you only need read-only actions, consider narrowing scopes or using a different, less-privileged skill. - Source provenance: The skill has no homepage and an unknown source owner — prefer skills with a verifiable homepage or known publisher. If you plan to use it, review the included Python files yourself (they are present and readable) and consider running the skill in an isolated environment (VM/container) until you are comfortable. - Practical steps: (1) Verify the code matches SKILL.md (it does, but check token path and any changes), (2) run in an isolated account/VM, (3) set restrictive file permissions on google_suite_tokens.json, and (4) ask the publisher to fix metadata and provide a source/homepage for accountability. If you want, I can produce a checklist of exact commands to inspect the files, run the skill in a container, or help you narrow OAuth scopes for safer use.

Like a lobster shell, security has layers — review code before you run it.

apivk97drb2src39qcz0735r8fqryn81rqg0automationvk97drb2src39qcz0735r8fqryn81rqg0calendarvk97drb2src39qcz0735r8fqryn81rqg0drivevk97drb2src39qcz0735r8fqryn81rqg0gmailvk97drb2src39qcz0735r8fqryn81rqg0googlevk97drb2src39qcz0735r8fqryn81rqg0latestvk97drb2src39qcz0735r8fqryn81rqg0productivityvk97drb2src39qcz0735r8fqryn81rqg0
495downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@cenralsolution
apiautomationcalendardrivegmailgooglelatestproductivity
Download

Google Suite Skill

Version: 1.0.0 Category: Productivity Description: Unified access to Gmail, Google Calendar, and Google Drive APIs for sending, reading, deleting emails, managing calendar events, and handling files.

Features

Gmail

  • Send emails
  • Read emails (list, search, get details)
  • Delete emails
  • Mark as read/unread

Google Calendar

  • List events
  • Create events
  • Update events
  • Delete events

Google Drive

  • List files
  • Upload files
  • Download files
  • Delete files
  • Search files

Setup

Prerequisites

  • Python 3.8+
  • Google Cloud project with OAuth2 credentials
  • Enable Gmail, Calendar, and Drive APIs in Google Cloud Console

Environment Variables

  • GOOGLE_OAUTH_CLIENT_ID - OAuth2 client ID
  • GOOGLE_OAUTH_CLIENT_SECRET - OAuth2 client secret
  • GOOGLE_OAUTH_REDIRECT_URI - OAuth2 redirect URI (e.g., http://localhost:8080/callback)

Required Scopes

  • https://www.googleapis.com/auth/gmail.readonly
  • https://www.googleapis.com/auth/gmail.send
  • https://www.googleapis.com/auth/gmail.modify
  • https://www.googleapis.com/auth/calendar
  • https://www.googleapis.com/auth/drive

Token Storage

  • Tokens are stored in google_suite_tokens.json (by default)

Installation

pip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib

Usage

Authentication

  1. On first use, the skill will prompt for OAuth2 authentication.
  2. Visit the provided URL, log in, and paste the authorization code.
  3. Tokens will be saved for future use.

Example Calls

Send Email

skill.execute({
    "service": "gmail",
    "action": "send",
    "to": "user@example.com",
    "subject": "Test Email",
    "body": "Hello from OpenClaw!"
})

List Emails

skill.execute({
    "service": "gmail",
    "action": "list",
    "query": "from:boss@company.com"
})

Delete Email

skill.execute({
    "service": "gmail",
    "action": "delete",
    "message_id": "XYZ123..."
})

List Calendar Events

skill.execute({
    "service": "calendar",
    "action": "list",
    "days": 7
})

Create Calendar Event

skill.execute({
    "service": "calendar",
    "action": "create",
    "summary": "Team Meeting",
    "start": "2024-03-01T10:00:00",
    "end": "2024-03-01T11:00:00"
})

List Drive Files

skill.execute({
    "service": "drive",
    "action": "list",
    "query": "name contains 'report'"
})

Upload File to Drive

skill.execute({
    "service": "drive",
    "action": "upload",
    "file_path": "./myfile.pdf"
})

Security

  • OAuth2 tokens are stored securely and never logged.
  • All credentials are loaded from environment variables.
  • No sensitive data is printed or logged.

Troubleshooting

  • Ensure all required APIs are enabled in Google Cloud Console.
  • Check that OAuth2 credentials are correct and match the redirect URI.
  • Delete google_suite_tokens.json to force re-authentication if needed.

References

Comments

Loading comments...