v1.0.2

google-workspace-rave

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:25 AM.

Analysis

This skill is not plainly malicious, but it asks an agent to handle Google OAuth credentials and grants broad Google Workspace read/write/admin authority that users should review carefully.

GuidanceInstall only if you intentionally want an agent to operate Google Workspace. Before authorizing, verify the package publisher and version, grant only the minimum OAuth scopes, avoid pasting secrets into chat, store credential files securely, and require explicit confirmation before sending email, sharing files, deleting data, running batch commands, or performing Admin actions.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

README.md

"It gives your AI agent full access to Google Workspace" and "Everything the Google Workspace APIs support" including "Gmail | Read, send, search, label, filter emails" and "Admin | User management, directory queries"

The skill intentionally exposes broad raw Workspace API authority, including sensitive read/write/admin operations, but the artifacts do not define mandatory confirmation, scope limits, or rollback expectations for high-impact mutations.

User impactA mistaken or overbroad agent action could send email, share Drive files, modify calendars or spreadsheets, change filters, or perform Workspace admin operations.

RecommendationRequire explicit user confirmation for send/share/delete/admin/write actions, use dry-run where available, restrict OAuth scopes to the exact services needed, and avoid granting Admin scopes unless necessary.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

metadata / _meta.json

Registry: slug "google-workspace-rave", version "1.0.2", owner "kn7fya..."; _meta.json: "slug": "gws-workspace", "version": "1.1.0", "ownerId": "kn79as..."

The registry identity and packaged metadata do not match. For a skill that handles Google Workspace credentials and installs an external CLI, inconsistent provenance is material.

User impactUsers may not be able to easily verify which package/version/owner they are installing before granting high-value Google Workspace access.

RecommendationConfirm the publisher, package version, and dependency source before installing; prefer a package whose registry metadata, internal metadata, source repository, and homepage are consistent.

Cascading Failures

SeverityMediumConfidenceHighStatusNote

references/advanced.md

"# Delete all files in trash" followed by `gws drive files list ... --page-all | ... | xargs -I{} gws drive files delete`

The documented batch pattern can apply a Workspace action to every matched item. It is presented as an advanced example, not hidden behavior, but it can amplify a bad query or mistaken instruction.

User impactA broad query or copied batch command could delete or modify many files or messages at once.

RecommendationPreview batch results first, use dry-run when supported, limit queries tightly, and require manual approval before bulk delete or bulk modification commands.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md / metadata

SKILL.md: "Prompt the user to provide their Google Cloud OAuth `client_secret.json`... upload the file or paste its contents into the chat... save it as `credentials.json`"; metadata: "Primary credential: none"

The skill directs the agent to collect and store OAuth credential material even though the registry does not declare a primary credential. This grants Google account or Workspace authority and is not clearly bounded by metadata.

User impactIf installed and authorized, the agent may gain access to sensitive Gmail, Drive, Calendar, Admin, and other Workspace data under the granted Google account or service account.

RecommendationUse least-privilege OAuth scopes, prefer a dedicated service account where possible, avoid pasting secrets into chat, store credentials outside shared workspaces with restrictive permissions, and revoke tokens when no longer needed.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

references/advanced.md

`gws mcp` ... "exposes all Workspace operations as MCP tools for compatible AI agents and IDEs."

The MCP server is an optional documented feature, but if run, it can expose the same broad Workspace authority to other agent or IDE clients.

User impactOther tools connected to the MCP server could perform Google Workspace operations using the configured credentials.

RecommendationRun the MCP server only in a trusted local environment, restrict client access, and combine it with least-privilege OAuth scopes.