Back to skill
Skillv1.0.12
ClawScan security
Gws Chat Send · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 31, 2026, 6:33 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared behavior (sending messages via the gws CLI) is plausible, but the runtime instructions defer authentication and security rules to a sibling file (../gws-shared/SKILL.md) that is not part of this skill and its credential needs are not declared — that hidden dependency is a red flag.
- Guidance
- This skill appears to be a thin wrapper around the local 'gws' CLI for sending Google Chat messages, which is reasonable — but it hides authentication and security behavior in a separate file (../gws-shared/SKILL.md). Before installing or enabling it: 1) open and inspect ../gws-shared/SKILL.md (or the output of `gws generate-skills`) to see exactly how auth is obtained and where any tokens/credentials are stored; 2) verify the 'gws' binary on your system (how it was installed, its vendor, and that it is the expected tool); 3) confirm you’re comfortable with a write-capable action that can post messages on your behalf and require explicit user confirmation before executing. If the shared file shows only benign global flags and standard user OAuth flows (with explicit consent) and you trust the gws binary source, the risk is low; if it references service account keys, secret files, or remote endpoints for token storage, do not enable the skill without further review.
Review Dimensions
- Purpose & Capability
- okName/description map to the requested binary (gws) and the documented CLI invocation (gws chat +send). Requiring the gws CLI is coherent with sending Google Chat messages.
- Instruction Scope
- concernThe SKILL.md instructs the agent to read ../gws-shared/SKILL.md for auth, global flags, and security rules. That directs the agent to read a file outside this skill's bundle (potentially exposing or relying on credentials or other sensitive configuration) and to run gws generate-skills if it's missing. Instructions that reference external skill files or create files on disk broaden the scope and should be inspected before use.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest install risk. Note: the guidance to run `gws generate-skills` can create files, but that action is a separate CLI operation rather than an automatic install step of this skill.
- Credentials
- concernThe skill declares no required environment variables or credentials, yet explicitly defers auth to a shared SKILL.md. This omission hides where credentials come from (user OAuth vs service account vs stored tokens). The lack of declared credentials makes it unclear what secrets the agent will need or access.
- Persistence & Privilege
- okThe skill is not marked always:true and has no install-time persistence. It can be invoked autonomously per platform defaults, which is expected for a CLI-integrating skill and not, by itself, a new risk.