Back to skill
Skillv1.0.0
ClawScan security
Gws Groupssettings · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 8:14 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper that calls a local 'gws' CLI to manage Google Groups settings; its requirements and instructions are consistent with that purpose, but you should verify the shared auth artifact and the provenance of the 'gws' binary before use.
- Guidance
- This skill simply wraps a local 'gws' CLI to call the Google Groups Settings API — that is coherent. Before installing/using it: (1) Verify the origin and integrity of the 'gws' binary you will run (install only from a trusted source). (2) Inspect the referenced ../gws-shared/SKILL.md (or what gws generate-skills would create) to see how authentication is handled and where credentials or tokens will be stored. (3) Ensure the credentials used by 'gws' have only the minimum Google Workspace scopes needed to manage group settings. (4) If you want to be extra cautious, run gws commands in a controlled/test account or environment first so you can observe what files or tokens are created.
Review Dimensions
- Purpose & Capability
- okThe name/description (manage Google Groups settings) matches the declared dependency on a 'gws' CLI. No unrelated binaries, env vars, or configs are requested.
- Instruction Scope
- noteSKILL.md only instructs using the 'gws' CLI and its schema to call groupssettings methods. It references a ../gws-shared/SKILL.md for auth and global flags — that external file is required for auth behaviour but is not included here, so review it before use.
- Install Mechanism
- okThere is no install spec (instruction-only), so nothing will be downloaded or written by the skill itself. This is the lowest-risk install posture.
- Credentials
- noteThe skill declares no environment variables, which is reasonable because auth appears delegated to the 'gws' CLI or to the referenced shared SKILL.md. Confirm how 'gws' obtains credentials (local OAuth token, service account file, or env vars) to ensure requested privileges are proportional.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does reference generating a shared SKILL.md (which may write auth/config files if you run it), but the skill itself does not request elevated platform privileges.