Skillv1.0.0

ClawScan security

google-workspace-cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 3:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match a Google Workspace admin tool, but the registry metadata omits the sensitive environment/credential requirements the SKILL.md and scripts clearly rely on — an incoherence you should review before installing.
Guidance: This package appears to be a legitimate gws CLI assistant, but it requires sensitive Workspace credentials (OAuth client secret or a service-account JSON + delegated admin) even though the registry metadata doesn't declare them. Before using: 1) Confirm the skill's origin (there is no homepage or known source) and prefer code from a trusted repo. 2) Inspect the included scripts yourself (they run local subprocess commands) and consider running them in demo mode or an isolated environment first. 3) If you supply a service-account key or OAuth client secret, follow least-privilege practice: create a dedicated service account with only the required scopes, and restrict domain-wide delegation. 4) Do not paste keys into third-party UIs; store key files on disk and point GWS_SERVICE_ACCOUNT_KEY at the file path. 5) If you are uncomfortable with the missing metadata (env vars/credentials not declared), ask the publisher to fix metadata or avoid installing until provenance is confirmed.

Review Dimensions

Purpose & Capability: noteName and description claim Google Workspace administration via the gws CLI; included scripts (auth_setup_guide.py, gws_doctor.py, workspace_audit.py, recipe runner, output_analyzer) and many command references consistently implement that purpose. Source/homepage is missing which reduces ability to verify authenticity.
Instruction Scope: noteSKILL.md instructs the agent/user to run the included Python scripts and many gws CLI commands that access Gmail, Drive, Sheets, Calendar, Admin SDK, etc. Those instructions are within the stated purpose, but they explicitly refer to reading environment variables, token/key file paths, and running subprocess gws calls — all expected for an admin tool but also capable of accessing/acting on sensitive data if misused.
Install Mechanism: okThere is no install spec (instruction-only), so nothing is downloaded or written to disk by an installer. Code files are bundled in the skill package and are executed locally; no external URL downloads or extract/install steps were specified.
Credentials: concernRegistry metadata declares no required env vars or primary credential, but SKILL.md and bundled scripts clearly require and reference sensitive variables (GWS_CLIENT_ID, GWS_CLIENT_SECRET, GWS_SERVICE_ACCOUNT_KEY, GWS_DELEGATED_USER, GWS_TOKEN_PATH). This mismatch is an incoherence: the skill will need sensitive credentials to function but the metadata does not surface that fact to the platform or user.
Persistence & Privilege: okSkill is not marked always:true and is user-invocable; it does not request platform-level persistence. The workspace-config.json includes scheduled task examples (cron-style) but those are user configuration examples, not an automatic request for persistent background execution or modification of other skills.