ClawHub

gog-restricted

v1.0.3

Google Workspace CLI for Gmail, Calendar, and Auth (restricted via security wrapper).

0· 1.1k·0 current·0 all-time
by@cettoana
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description claim a restricted Google Workspace wrapper and the files do require a local 'gog' binary — that is coherent. The skill does not request unrelated credentials or services. Minor mismatch: SKILL.md documents a GOG_ACCOUNT environment variable as the default account, but requires.env lists none.
!
Instruction Scope
SKILL.md instructs the user to run script/setup.sh which will move the installed 'gog' binary and replace it with a wrapper. The wrapper enforces an allowlist and checks certain flags. The instructions modify system-level state (the installed gog) and require elevated permissions (sudo) to perform the change. There are no network exfiltration endpoints or hidden remote calls in the script, but the installation step is invasive and persistent.
!
Install Mechanism
There is no package/install spec, but the provided setup.sh performs an on-disk installation: it mv's the real binary to .gog-real and writes a wrapper to the original path using sudo, then makes it executable. Replacing a system binary from an untrusted skill is high-risk; the script comes from the skill bundle (so auditable), but it still requires administrator privileges and permanently alters the environment.
Credentials
The skill declares no required environment variables (primary credential: none), which matches that the wrapper enforces a local allowlist. However, SKILL.md references GOG_ACCOUNT as the default account; that variable is not declared in requires.env. No other unrelated credential or config access is requested.
!
Persistence & Privilege
The setup script persistently replaces the installed 'gog' binary and preserves the original as .gog-real. This is a privileged, persistent change (uses sudo). The skill itself is not marked always:true, but the install step still grants the skill ongoing control over a commonly-invoked CLI by intercepting all 'gog' calls.
What to consider before installing
This skill implements a local, persistent wrapper by moving your installed 'gog' binary and replacing it with a script — the installer uses sudo and will modify system files. If you consider installing: - Review the contents of script/setup.sh carefully (you already have it) and confirm you trust the source. The script here is readable and implements an allowlist, but replacing system binaries is high-risk. - Understand you'll need admin rights to install; prefer testing in a disposable environment (container, VM) first. - Backup the original gog binary before running, and verify the created .gog-real and wrapper are owned and permissioned as you expect. - Confirm whether you need GOG_ACCOUNT and set it deliberately; the skill references it but doesn't declare it in metadata. - If you cannot validate the origin/trust of the package or do not want a persistent change to your PATH, do not run setup.sh — instead run 'gog' directly or use non-invasive controls (wrapping via a shell alias or local wrapper in your user bin) to reduce risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk974ybzz596afgce0znaqw470h80yhsk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📬 Clawdis
Binsgog

Comments