ClawHub

GOG Extended

Security checks across malware telemetry and agentic risk

Overview

This Google Workspace skill is coherent, but it gives an agent broad access to email, calendar, contacts, documents, and spreadsheets with under-scoped safety guidance for sensitive reads and write actions.

Install only if you trust the gog CLI and are comfortable granting Google Workspace OAuth access. Prefer the minimum Google services needed for the task, confirm the active account before use, require approval before sending email or changing calendars/sheets/docs, and avoid --no-input for any write, send, delete, clear, or bulk data operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill prominently teaches retrieval of full email bodies and attachments, including automation-oriented parsing, without any warning about sensitive content, secrets, personal data, or authorization boundaries. In an agent setting, this increases the chance of over-collection and unintended exposure of highly sensitive mailbox contents.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation includes commands for sending emails, creating drafts, and replying, but does not warn that these actions can create external side effects and communicate with third parties. In an autonomous or semi-autonomous agent workflow, this can lead to unauthorized outreach, phishing-like behavior, data leakage, or reputational harm.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill documents creating and updating calendar events and updating/appending/clearing spreadsheet data without highlighting destructive or state-changing consequences. This makes accidental modification of business records, schedules, or shared documents more likely, especially when used by automation.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
Recommending `--no-input` to skip confirmations in scripts reduces an important safety barrier and can enable unattended actions against email or workspace data. In a skill centered on extracting full email bodies and attachments, suppressing prompts makes accidental bulk access, downloads, or destructive operations easier to perform without user review.

VirusTotal

38/38 vendors flagged this skill as clean.

View on VirusTotal