Skillv1.0.0

ClawScan security

Gog V2 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 1:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it is an instruction-only wrapper around the gog CLI for Google Workspace and only requires that binary and OAuth credentials, which matches its description.
Guidance: This skill is a thin wrapper around the 'gog' CLI and appears coherent with that purpose. Before installing or using it: - Verify the brew tap/formula (steipete/tap/gogcli) is from a trusted source; inspect the formula or upstream project if possible. - Review the gog project's homepage/repo to confirm behavior and where OAuth tokens are stored. - When performing auth, understand that the client_secret.json and the OAuth tokens granted to the tool will allow access to Gmail, Drive, Calendar, Contacts, Sheets, and Docs — limit scopes and accounts used if you want least privilege (consider a dedicated account). - Prefer interactive consent and inspect any files the tool writes (token stores) after initial auth. If you are uncertain about the third-party tap, consider installing from a verified upstream release or building from source.

Purpose & Capability: okName/description advertise a Google Workspace CLI and the skill only requires the 'gog' binary and OAuth credentials; these are appropriate and proportional to the stated purpose.
Instruction Scope: okSKILL.md contains only usage instructions for the gog CLI (auth setup, example commands for Gmail/Calendar/Drive/Contacts/Sheets/Docs). It does not instruct reading unrelated files or contacting endpoints other than the Google APIs via the gog tool. It mentions using a client_secret.json and OAuth flows, which is expected for this type of tool.
Install Mechanism: noteInstall uses a Homebrew formula (steipete/tap/gogcli). Brew installs are normal, but this is a third-party tap rather than a core/homebrew package. Users should verify the tap and formula source before installing.
Credentials: okThe skill declares no required environment variables. SKILL.md notes an optional GOG_ACCOUNT env var and requires an OAuth client_secret.json for setup — both are proportional. Be aware OAuth client secrets and resulting tokens will be used/stored by the gog CLI and grant access to Gmail/Drive/etc.
Persistence & Privilege: okalways is false and the skill does not request system-wide configuration or modify other skills. Autonomous invocation is allowed by default (platform normal), and nothing here suggests excessive persistence or privilege escalation.