Back to skill
Skillv1.0.0
VirusTotal security
Google Suite Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:04 PM
- Hash
- 362f3d2747744531b22e080d3c0941afd207702779cf724c049e825114c89622
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: google-suite Version: 1.0.0 The skill provides broad access to Gmail, Google Calendar, and Google Drive APIs, including sending emails, managing events, and handling files. The `_drive_upload` and `_drive_download` functions in `skill.py` accept `file_path` and `dest_path` parameters directly from the agent's input, allowing the agent to upload arbitrary local files or download files to arbitrary local paths. This presents a significant vulnerability for data exfiltration or arbitrary file writes if the agent is compromised via prompt injection, as there is no input sanitization or restriction on these paths. OAuth2 tokens are also stored locally in `google_suite_tokens.json`, which could be a sensitive target.
- External report
- View on VirusTotal