ClawHub

Gws Shared

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only skill coherently documents use of the gws CLI, including expected Google authentication and broad API flags, with no evidence of hidden or deceptive behavior.

Before using this skill, make sure the gws binary is one you trust, authenticate with the least-privileged Google identity that can complete the task, and require confirmation for any command that writes, deletes, uploads, or saves files.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

If installed and used, gws commands may act with the permissions of the logged-in Google account or service account.

Why it was flagged

The skill documents OAuth and service-account authentication, which is expected for Google Workspace CLI use but delegates account or workspace authority to subsequent commands.

Skill content
# Browser-based OAuth (interactive)
gws auth login

# Service Account
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
Recommendation

Use the least-privileged Google account or service account needed, protect service-account key files, and review the exact target and scope before approving any write/delete action.

#
ASI02: Tool Misuse and Exploitation
Low
What this means

Incorrect or overbroad commands could modify workspace data or upload/download files if a user approves them.

Why it was flagged

The reference exposes broad CLI patterns for making Google Workspace API requests, including request bodies, file uploads, and file outputs; this is purpose-aligned, and the same artifact tells agents to confirm write/delete commands.

Skill content
gws <service> <resource> [sub-resource] <method> [flags]
...
`--json '{"key": "val"}'` | Request body |
`-o, --output <PATH>` | Save binary responses to file |
`--upload <PATH>` | Upload file content (multipart) |
Recommendation

Ask the agent to show the exact gws command, target resource, request body, and file paths before running mutating commands; use --dry-run where supported.