Back to skill
Skillv1.0.1
ClawScan security
Md To Gdoc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 4:56 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions consistently implement a markdown→Google Docs converter that uses the gog CLI and python3; nothing in the script or SKILL.md requests unrelated credentials or system access.
- Guidance
- This skill appears to do what it says: convert a provided .md into a Google Doc using the gog CLI. Before installing/using: (1) Ensure you trust and have installed the gog CLI from its official source and review its OAuth scopes (it will need Drive/Docs access). (2) Authenticate only the Google account you intend to use (gog auth add). (3) Test on non-sensitive markdown first to confirm behavior. (4) The skill reads only the markdown file you pass; do not run it on directories or files that contain secrets you don't want uploaded to Google Drive.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: SKILL.md documents using the gog CLI and python3, and the included script performs exactly that (creates a Google Doc then updates it with markdown). No unrelated binaries, env vars, or config paths are requested.
- Instruction Scope
- okRuntime instructions and the script operate only on the provided markdown file and interact with gog (which in turn talks to Google). The script warns about missing headings, derives titles from filenames, creates a doc, and updates content. It does not read other files or attempt to transmit extra data to external endpoints beyond what gog/Google Drive require.
- Install Mechanism
- noteThis is an instruction-only skill (no installer). It depends on an external CLI (gog) and python3; those are declared in SKILL.md. The skill does not download or install code itself, but you must trust and install gog separately (SKILL.md links to the gog GitHub repo).
- Credentials
- okNo environment variables or secrets are requested by the skill. The only credential requirement is that the gog CLI be authenticated to a Google account (handled by gog auth); that is proportional to the stated functionality.
- Persistence & Privilege
- okThe skill does not request permanent/always-on presence and does not modify other skills or global agent config. It runs as a one-off script calling gog, which requires normal Google Drive permissions — standard for this task.