v1.0.0

Google Suite Skill

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 3:06 PM.

Analysis

This skill appears purpose-aligned for Google services, but it requests broad Google account control, stores reusable OAuth tokens locally, and lacks clear safeguards for destructive actions.

GuidanceOnly install this if you are comfortable giving the agent broad access to Gmail, Calendar, and Drive. Prefer testing with a non-critical Google account, pin dependencies, restrict OAuth scopes, protect or regularly delete the token file, and require explicit confirmation before any send, delete, upload, download, or calendar modification action.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

skill.py

gmail.users().messages().delete(userId="me", id=msg_id).execute()
calendar.events().delete(calendarId='primary', eventId=event_id).execute()
drive.files().delete(fileId=file_id).execute()

The skill directly performs destructive Gmail, Calendar, and Drive API calls from provided parameters, with no visible approval, dry-run, or containment checks in the artifacts.

User impactAn incorrect or unintended invocation could delete emails, calendar events, or Drive files from the connected Google account.

RecommendationRequire explicit user confirmation for send, update, upload, download, and delete actions; add dry-run summaries and limit actions to user-approved IDs or folders.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

requirements.txt

google-api-python-client>=2.0.0
google-auth-httplib2>=0.1.0
google-auth-oauthlib>=0.4.0

The dependencies are purpose-aligned Google API libraries, but the lower-bound-only version constraints make installs non-reproducible and allow future package changes to be pulled in.

User impactA future install could use different dependency versions than the author tested.

RecommendationPin exact package versions or provide a lockfile/hashes and an explicit install spec.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

skill.py

dest_path = params.get("dest_path")
...
with open(dest_path, 'wb') as f:
    ...
    downloader = MediaIoBaseDownload(f, request)

Drive downloads write to a caller-supplied local path without visible path restrictions or overwrite protection, so one bad parameter can overwrite local files; the skill also operates on cloud-synced Google data without containment controls.

User impactA mistaken download path could overwrite local files, and mistaken cloud actions could affect synced Google data.

RecommendationRestrict downloads to a dedicated safe directory, block overwrites by default, validate paths, and require confirmation for actions that change local or cloud state.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

- OAuth2 tokens are stored securely and never logged.
- All credentials are loaded from environment variables.
- No sensitive data is printed or logged.

The documentation makes strong security assurances, but the code writes OAuth tokens to a local JSON file and the registry metadata does not declare the credential requirements, making the safety posture appear stronger than the artifacts support.

User impactUsers may trust the skill with a Google account without realizing tokens are persisted locally and broad account permissions are required.

RecommendationRevise the security section to accurately describe token storage, metadata credential requirements, and remaining risks; avoid unsupported claims such as secure storage unless implemented.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

- `https://www.googleapis.com/auth/gmail.modify`
- `https://www.googleapis.com/auth/calendar`
- `https://www.googleapis.com/auth/drive`

These OAuth scopes grant broad Gmail modification, full Calendar access, and broad Drive access, while the registry metadata declares no primary credential or required environment variables.

User impactInstalling and authenticating this skill can give the agent wide access to the user's Google account, including the ability to modify or delete important data.

RecommendationDeclare the OAuth credential requirements in metadata, split read-only and write actions, and use least-privilege scopes such as narrower Drive or Calendar scopes where possible.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

skill.py

TOKEN_PATH = Path(__file__).parent / 'google_suite_tokens.json'
...
with open(TOKEN_PATH, 'w') as token:
    token.write(creds.to_json())

The skill persists reusable OAuth tokens as a local JSON file in the skill directory, with no artifact evidence of encryption, restrictive file permissions, or explicit metadata disclosure of persistent credentials.

User impactAnyone or anything with access to that token file may be able to reuse Google account access, and the access can persist beyond the original task.

RecommendationStore tokens in an OS secret store or encrypted location, set restrictive file permissions, document the token lifecycle, and provide an easy revocation/cleanup path.