Skillv1.0.12

ClawScan security

Gws Drive Upload · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 31, 2026, 6:34 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions are consistent with a Google Drive upload helper, but it relies on an external 'gws-shared' SKILL.md for auth/global flags (not present), so you should verify that shared config and the gws CLI before using.
Guidance: This skill appears to be a simple wrapper that runs the gws CLI to upload files to Google Drive — that is coherent. Before installing or invoking it: (1) verify you trust the gws binary on your PATH and know how it stores credentials (OAuth tokens/config files); (2) locate and review the referenced ../gws-shared/SKILL.md (or inspect what `gws generate-skills` would create) so you know what auth/global flags the agent will use; (3) be aware this runs a write operation to your Drive — confirm with the user and review file contents/target folder/parent ID before uploading; (4) if you need stronger guarantees, run the command manually first or inspect gws config files to ensure minimal privileges. The missing shared SKILL.md is the main uncertainty — if you can provide it, confidence in this assessment would increase.

Purpose & Capability: okName/description (upload to Google Drive) match the declared requirement: the gws CLI binary is the only required tool and is a reasonable dependency for a Drive upload helper.
Instruction Scope: noteThe SKILL.md instructs the agent to read ../gws-shared/SKILL.md for auth, global flags, and security rules (and to run `gws generate-skills` if missing). That means the agent may attempt to read files outside this skill and invoke the gws CLI to create or modify config — behavior related to auth is expected, but the referenced shared file is not included here, which increases uncertainty about exactly what will be read/changed at runtime.
Install Mechanism: okInstruction-only skill (no install spec, no code files). This is low risk in terms of writing arbitrary code to disk; runtime risk comes from calling the external gws binary.
Credentials: noteNo environment variables or credentials are declared by this skill. In practice the gws CLI likely uses local config/credentials (OAuth tokens, config files). That is proportionate to uploading to Drive, but you should confirm where gws stores credentials and that those credentials are limited to the expected Google account/project.
Persistence & Privilege: okSkill is not always-enabled and does not request special platform persistence. It can be invoked by the agent normally; nothing here indicates it modifies other skills or system-wide settings beyond using gws.