ClawHub

gog-safety

Security checks across malware telemetry and agentic risk

Overview

This admin-oriented skill is not plainly harmful, but its advertised safety profiles still allow sensitive credential, sharing, script, and deployment actions that need careful review.

Install only if you are deliberately administering gog for an agent and can audit the profiles first. Pin or verify the upstream source before building, remove token export/import, keyring, and service-account controls from restricted tiers unless explicitly needed, and deploy only to approved hosts where replacing /usr/local/bin/gog is acceptable and reversible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The profile explicitly claims 'Nothing outbound' and 'never ... share in a way that notifies others,' yet it permits Drive sharing/unsharing and broad calendar ACL access. Even if some share operations do not send email notifications, they still alter other users' access and can create externally visible side effects, violating the stated safety boundary and enabling unintended disclosure or collaboration changes.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The narrative says L1 is limited to 'YOUR OWN stuff,' but the enabled capabilities can modify shared-access state for calendars and Drive content. That mismatch is security-relevant because agents and users may rely on the prose safety guarantees while the actual permission set allows actions that affect other people or shared resources.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The L2 profile is described as a restricted 'Draft & Collaborate' mode, but it enables many destructive and administrative actions such as delete/update/share/unshare across Drive, Calendar, Contacts, Docs, Sheets, Slides, and auth management. This creates a capability set far broader than the stated safety boundary, increasing the risk of data loss, permission changes, and misuse under the guise of a limited-collaboration profile.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The profile enables credential and token management features including keyring access, token export/import, credential set/remove, and service-account configuration, which are highly sensitive and not justified by a collaboration-focused safety profile. If abused, these permissions could expose secrets, enable account takeover, or let an agent reconfigure authentication to expand access beyond intended limits.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Enabling appscript.run allows direct script execution despite the profile being positioned as a restricted collaboration mode. Script execution can act as a privilege amplifier by performing complex or side-effecting actions indirectly, potentially bypassing the intended command-level safety model.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This profile grants far broader authority than the skill's stated purpose of building and deploying safety-profiled gogcli binaries. It enables operational access across Gmail, Drive, Calendar, Chat, Docs, Sheets, Slides, Contacts, auth, and token management, creating a major scope mismatch that could let an agent act far beyond build/setup tasks if this profile is selected or reused.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The auth section permits credential administration, token export/import, keyring access, alias changes, and service-account management, none of which are necessary for merely safety-profiling binaries. These capabilities could be abused to extract, rotate, import, or repoint credentials and thereby expand compromise beyond a single task into persistent account or environment access.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The profile allows extensive read/write and messaging operations across multiple Google Workspace services, including sending email and chat messages, deleting and sharing files, modifying calendars, editing documents, and altering contacts. In the context of a skill advertised for restricted-permission gog setup, these permissions are unrelated and materially increase the blast radius for misuse, prompt injection, or agent error.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
These instructions direct replacement of `/usr/local/bin/gog` on a remote host, create a backup, and provide rollback steps, but they do not prominently warn that this is a privileged modification to system files on a live machine. In an agent setting, that omission increases the risk of unauthorized remote changes, service disruption, deployment to the wrong host, or persistence of an unreviewed binary.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The profile enables extensive authentication management, including credential setup/removal, token export/import, service-account configuration, and alias management, without prominent warning that these are sensitive account-control operations. In an agent context, this expands blast radius beyond ordinary productivity tasks and can lead to account takeover, persistence, or credential exfiltration if misused.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The file broadly enables large numbers of commands but does not define clear trigger constraints, prohibited scenarios, or negative examples that would limit when the profile should be used. In an agent setting, this ambiguity can cause overbroad invocation and unsafe use of sensitive capabilities in contexts the user did not intend.

Missing User Warnings

High
Confidence
97% confidence
Finding
Sensitive auth capabilities are exposed without any inline warning, approval requirement, or manifest-level notice that the profile can manipulate credentials and tokens. In a safety-profile skill, the absence of prominent warnings increases the chance that users or higher-level agents treat the profile as low-risk while it actually permits secret handling and authentication reconfiguration.

Vague Triggers

Medium
Confidence
88% confidence
Finding
This manifest exposes a very broad set of powerful capabilities without embedding activation constraints, exclusions, or task-bound conditions. Even if the permissions are intentional, the lack of guardrails makes accidental overreach and unsafe invocation more likely, especially for autonomous or semi-autonomous agents.

Natural-Language Policy Violations

Medium
Confidence
83% confidence
Finding
The comments explicitly frame direct messaging and tracking as part of 'full operational capability' without mentioning user consent, approval flow, or notification requirements. In an agent-facing safety profile, this normalizes outbound communication and monitoring behavior that can be privacy-invasive or harmful if triggered automatically.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill explicitly documents that L1+ permits filter forwarding and drive sharing, both of which can expose user data despite the stated safety model. In context, this is especially risky because the skill is marketed as a restricted-permissions deployment profile for AI agents; leaving these exfiltration paths available can undermine the core safety guarantee and enable unauthorized disclosure of emails or files.

Credential Access

High
Category
Privilege Escalation
Content
set: true
    unset: true
  status: true
  keyring: true
  remove: true
  tokens:
    list: true
Confidence
98% confidence
Finding
keyring

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal