Skillv1.0.2

ClawScan security

Gws Admin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 11:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared surface is coherent with a Google Workspace admin CLI, but it omits any declared authentication/credential requirements and depends on an external shared SKILL.md for auth—this gap makes its true runtime requirements unclear and worth caution.
Guidance: This skill appears to be a CLI wrapper for Google Workspace admin tasks, which legitimately requires admin credentials and will be able to perform destructive actions (delete, wipe, deprovision). Before installing: 1) Verify the provenance of the 'gws' binary (who provides it, is it signed, where is it installed?), 2) Inspect ../gws-shared/SKILL.md (or ask the author) to see exactly how authentication is handled and where credentials/tokens are stored, 3) Ensure the skill declares the required env vars or config paths and that those are limited to least privilege (a dedicated admin service account with minimal scopes), 4) Avoid enabling autonomous invocation until you confirm where credentials live and that the skill only uses them for intended API calls, and 5) If possible, test in an isolated/test Google Workspace account first. If the author cannot provide the missing auth details and provenance for the gws CLI, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: noteName/description (Google Workspace Admin) align with the documented CLI actions (users, groups, devices). Requiring a 'gws' CLI binary is reasonable if this is a wrapper for the Admin SDK. However, the skill does not declare any auth/environment variables even though admin operations require credentials; it explicitly defers auth to ../gws-shared/SKILL.md which is outside this package, creating an unexplained dependency.
Instruction Scope: concernSKILL.md enumerates powerful, potentially destructive admin operations (remote wipe, deprovision, delete resources) which is expected for an admin tool, but the runtime instructions instruct the agent to read/use a sibling SKILL.md for auth and to run `gws generate-skills` if missing. Those steps may create files or credentials at runtime; because this skill gives no explicit boundary or description of what files/paths will be read or written, the instruction scope is underspecified and could result in unexpected access or state changes.
Install Mechanism: okInstruction-only skill with no install spec or bundled code. That minimizes direct install risk (nothing will be downloaded or written by the skill itself). The higher-risk actions arise from the external 'gws' binary and the referenced shared SKILL.md, not from an installer here.
Credentials: concernThe skill declares no required environment variables or primary credential, yet the documented operations require Google Workspace admin credentials/OAuth tokens. The fact that auth is delegated to a separate gws-shared skill but not declared here is an inconsistency: the skill should explicitly state what credentials or config it needs and where they are stored. Lack of declared credentials prevents proper review of what secrets the skill will access.
Persistence & Privilege: noteThe skill does not request always:true, does not claim system-wide config access, and has no declared config paths. That is appropriate. However, because instructions suggest generating shared auth/config files, installing this skill could indirectly cause persistent credentials/config to be written by the shared tooling—verify that behavior in the referenced gws-shared files before granting it access.