ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Civic Google

v0.1.1

Use gog (Google CLI) without manual OAuth setup — Civic handles token management automatically

0· 111·0 current·0 all-time
by@civictechuser
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to let agents run the gog CLI without manual OAuth setup and only requires the gog binary and a CIVIC_TOKEN. Those requirements and the described plugin behavior are coherent with that purpose.
Instruction Scope
The SKILL.md instructs the plugin to send the gog command prefix to app.civic.com for scope resolution and says arguments aren't logged. This is within the plugin's stated purpose, but it does transmit which subcommands/services you use to Civic. The doc also exposes an OPENCLAW_PROXY_URL override (example uses plain http://localhost:3013) — changing this could redirect scope resolution to another endpoint, so users should be careful where they point it.
Install Mechanism
This is an instruction-only skill (no install spec or code files). The SKILL.md tells users to install the OpenClaw plugin and brew-install gog; those are standard OS-level instructions and low-risk from this static review.
Credentials
The only required environment variable is CIVIC_TOKEN, which is appropriate for an OAuth-proxy service. However, CIVIC_TOKEN grants Civic account-level API access and therefore authorizes Civic to manage stored OAuth tokens on your behalf — you must trust Civic with that responsibility. The plugin does not request Google credentials, which is consistent.
Persistence & Privilege
always is false and the skill does not request system-wide configuration or other skills' credentials. Nothing in the SKILL.md indicates it modifies other skills or requires permanent elevated presence.
Assessment
This skill appears internally consistent: it asks only for the gog binary and a CIVIC_TOKEN and the instructions match its stated proxying behavior. Before installing, verify the Civic service and the claimed open-source repo (https://github.com/civicteam/openclaw-google and the npm package) so you can inspect how tokens are handled. Understand that Civic will learn which gog subcommands you run (the SKILL.md says arguments are not logged, but subcommand prefixes are), and that CIVIC_TOKEN grants Civic the ability to hold and refresh your Google OAuth tokens on your behalf — only proceed if you trust Civic. If you test locally, be cautious with OPENCLAW_PROXY_URL (don’t point it to untrusted remote endpoints) and store CIVIC_TOKEN securely; know how to revoke or rotate it via app.civic.com if you stop using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ev4ej9jm4nytnhq9j4w3t4h835p6h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔑 Clawdis
Binsgog
EnvCIVIC_TOKEN

Comments