ClawHub
Back to skill
v1.0.0

Gog Local

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:07 AM.

Analysis

The skill is coherent for Google Workspace CLI use, but it grants broad OAuth-based access and includes commands that can send email or modify or clear Google Workspace data.

GuidanceReview this skill before installing if you plan to connect a real Google account. It is appropriate for Google Workspace automation, but grant the narrowest OAuth access you can, avoid using it with highly sensitive accounts unless necessary, and require explicit confirmation before any email sending, calendar creation, spreadsheet update, append, clear, or other write action.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
`gog gmail send --to a@b.com --subject "Hi" --body "Hello"` ... `gog sheets update ...` ... `gog sheets append ...` ... `gog sheets clear <sheetId> "Tab!A2:Z"`

The documented CLI operations include sending email and modifying or clearing spreadsheet data. The notes say to confirm before sending mail or creating events, but do not clearly require confirmation for all mutating operations such as Sheets clear/update.

User impactAn agent using this skill could make visible or destructive changes to Workspace data if it runs a mutating command without careful user review.
RecommendationRequire explicit user confirmation before every write, send, append, update, clear, copy, or delete operation, and prefer read-only commands unless the user specifically requests a change.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
install spec
brew | formula: steipete/tap/gogcli | creates binaries: gog

The skill depends on an external Homebrew tap to provide the executable. This is normal for a CLI integration, but the installed binary and formula contents are not included in the provided artifacts.

User impactThe behavior ultimately depends on the external gog CLI package installed from that tap.
RecommendationInstall only from a trusted source, verify the Homebrew formula and project homepage, and keep the CLI updated through trusted package-management channels.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
`gog auth credentials /path/to/client_secret.json` ... `gog auth add you@gmail.com --services gmail,calendar,drive,contacts,sheets,docs`

The skill instructs OAuth setup for a Google account across Gmail, Calendar, Drive, Contacts, Sheets, and Docs, which is broad delegated account access.

User impactInstalling and using the skill may let the agent access sensitive Google Workspace data and act through the user's Google account across several services.
RecommendationUse a dedicated or least-privileged Google OAuth client/account where possible, grant only the services needed for the task, and review/revoke OAuth access when finished.