Gog2
v1.0.0Google Workspace CLI for Gmail, Calendar, Drive, Contacts, Sheets, and Docs.
⭐ 0· 404·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (Google Workspace CLI) matches the required binary 'gog' and the SKILL.md commands (Gmail, Drive, Sheets, Docs, etc.). However, the skill package is named 'Gog2'/slug 'gog2' in the registry while internal files (SKILL.md and _meta.json) use 'gog' and a different ownerId — that inconsistency is unexplained and could indicate repackaging or metadata errors.
Instruction Scope
SKILL.md stays on scope: it tells the agent to run the gog CLI and to perform OAuth setup (supply client_secret.json, add an account, then run search/send/export commands). It does not instruct reading arbitrary system files or exfiltrating data. It does require the user to supply OAuth credentials and to grant broad Google scopes if you enable gmail/calendar/drive/etc.
Install Mechanism
The install uses a Homebrew formula (steipete/tap/gogcli), which is a standard installer mechanism but from a third‑party tap. That is lower risk than an arbitrary URL download but still requires trusting the tap owner; review the formula/tap before installing.
Credentials
No environment variables are required, which aligns with a CLI that uses OAuth files. The SKILL.md asks you to provide a client_secret.json and to possibly set GOG_ACCOUNT — these are reasonable for the stated purpose. However, the skill requests broad Google API scopes (gmail/calendar/drive/contacts/sheets/docs) — granting those gives extensive access to user data and should be considered high‑sensitivity.
Persistence & Privilege
The skill is not always-enabled and does not request special system config paths or credentials. Autonomous invocation is allowed (default) but not in itself a red flag here.
What to consider before installing
This skill appears to be a wrapper for a Google Workspace CLI and its instructions are consistent with that purpose, but take these precautions before installing or using it:
- Verify the brew tap (steipete/tap) and inspect the Homebrew formula on Github or the tap's repo to ensure it installs the expected gog binary and not additional/unexpected code.
- Confirm ownership: the registry entry lists 'gog2' and an ownerId that differs from the ownerId inside _meta.json; ask the publisher or check the project homepage (https://gogcli.sh) to confirm the correct package and author.
- Be cautious with OAuth: the tool requires a client_secret.json and will request broad scopes (Gmail, Drive, Calendar, etc.). Only supply these if you trust the binary; review where the gog tool stores tokens and ensure you can revoke them.
- Prefer official/distributed releases from the upstream project or a well-known tap. If unsure, run the formula in a sandbox/container or inspect the installed binary before granting access.
- If you proceed, test with a low‑privilege or expendable Google account first and revoke OAuth consent when finished.
If you can provide the Homebrew formula URL or a canonical project repo/homepage that verifies the publisher, I can reassess and may raise confidence to high.Like a lobster shell, security has layers — review code before you run it.
latestvk97dmj0ey6p1bztcq60eveyvrs81t13c
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎮 Clawdis
Binsgog
Install
Install gog (brew)
Bins: gog
brew install steipete/tap/gogcli