ClawHub

google-workspace-cli

Security checks across malware telemetry and agentic risk

Overview

This is a real Google Workspace administration skill, but it gives broad live account powers with weak guardrails around destructive actions and credential handling.

Review this skill carefully before installing. Verify the gws package source, use least-privilege Google scopes, prefer keyring-backed token storage, protect any service account key, avoid broad keychain access, and manually review or dry-run every recipe before actions that send messages, share files, modify data, change calendars, or delete Drive trash.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
continue
        print(f"  $ {cmd}")
        try:
            result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)
            if result.stdout:
                print(result.stdout)
            if result.returncode != 0 and result.stderr:
Confidence
98% confidence
Finding
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and demonstrates shell execution and file-reading behavior through numerous command examples and helper scripts, but it does not declare permissions or capability boundaries. This can mislead an agent or reviewer about the skill's operational reach, increasing the chance of unintended command execution or access to local files during use.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill includes many write and bulk-action examples for Gmail, Drive, Sheets, and Calendar, including sending email, modifying messages, changing sharing permissions, and updating spreadsheet/calendar content, without prominent warnings about user impact. In an agent setting, such examples can be operationalized directly and cause unintended external communication, data modification, or permission changes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file enumerates many state-changing and externally impactful commands—such as sending email, replying to messages, creating documents, updating Sheets, sharing Drive files, and administering users—without any caution that these actions can modify production Workspace data or contact external parties. In a persona-oriented guide, this omission can normalize direct execution and increase the chance of accidental misuse, especially for high-privilege roles like Executive Assistant, HR, IT Admin, Legal, and Customer Support.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `cleanup-trash` recipe performs an irreversible destructive action (`gws drive files emptyTrash`) without any warning, confirmation step, or guidance to verify scope first. In an admin automation skill, this raises the chance of accidental bulk data loss, especially if users copy-paste commands directly from the cookbook.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file-sharing recipes show how to grant `writer` access to a user or group but do not warn that sharing can expose sensitive documents to unintended recipients or broadly to teams/domains. Because this skill targets Workspace administration and automation, omission of access-control cautions can lead to inadvertent data disclosure through overbroad permissions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The admin and reporting recipes enumerate users, groups, login activity, contacts, emails, tasks, and Drive activity without privacy, authorization, or data-handling warnings. In a Google Workspace admin context, these commands can surface sensitive organizational and personal information, so presenting them as simple recipes increases the risk of misuse, overcollection, or inappropriate access by operators with broad privileges.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The troubleshooting guide recommends falling back to file-based token storage but does not warn that OAuth tokens are sensitive credentials that can grant API access if the file is read by other users, backup systems, or logs. In an admin-focused Google Workspace CLI, this is more dangerous because stored tokens may provide broad access to mail, files, calendars, or administrative functions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The debug instructions tell users to echo authentication-related environment variables without warning that doing so can expose sensitive paths or account identifiers in terminal scrollback, shell history capture, support transcripts, or CI logs. While the delegated user is not secret by itself and the key variable here is a file path rather than key contents, normalizing credential-related echo/debug practices is unsafe in administrative tooling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The macOS guidance again suggests file-based token storage without any warning about securing the token file. Because this skill is for Google Workspace administration, a stolen token could expose sensitive organizational data or permit actions on behalf of privileged users.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Linux headless OAuth guidance tells users to set a service account key path but does not warn that the referenced JSON key is a long-lived secret that must be tightly protected. In a Workspace admin context, service account keys combined with delegation can enable broad automated access across an organization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Linux fallback recommendation uses a token file without telling users to protect it as a sensitive credential. OAuth bearer tokens can often be replayed directly, so insecure file permissions or accidental disclosure can lead to unauthorized access without needing a password.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The script prints the authenticated account identifier (email/user) directly in output, which can disclose sensitive identity information in shared terminals, logs, screenshots, CI output, or support bundles. In an admin-focused Google Workspace tool, that context makes the disclosure more meaningful because it reveals privileged account usage and organizational domains.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The tool can directly execute impactful administrative and data-modifying actions such as sending email, sharing files, patching calendar events, emptying Drive trash, and modifying Workspace resources, but it performs them immediately when `--run` is used. There is no confirmation prompt, risk warning, or per-command approval step, which increases the chance of accidental destructive or unauthorized actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal