ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gws Slides

v1.0.12

Google Slides: Read and write presentations.

0· 540·15 current·15 all-time
by@googleworkspace-bot
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Requiring the 'gws' CLI is consistent with a Google Slides CLI wrapper. However the skill does not declare any authentication credentials or primaryEnv even though the SKILL.md references an external shared auth file (../gws-shared/SKILL.md). That missing declaration is an inconsistency between purpose and the skill's declared requirements.
!
Instruction Scope
The runtime instructions explicitly tell the agent to read ../gws-shared/SKILL.md for auth, global flags, and security rules, or to run `gws generate-skills` to create it. Pointing the agent to read a file outside the skill directory (and potentially to generate files) is scope-creep: it could access authentication configuration or create files that change environment-level settings. The rest of the instructions (using gws to inspect schema and call slides methods) are in-scope.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. This minimizes install-time risk. The only runtime dependency is the external 'gws' binary, which is reasonable for a CLI-based Slides integration.
!
Credentials
The skill declares no required environment variables or primary credential even though it relies on authentication described in a separate shared SKILL.md. This lack of explicit credential requirements is disproportionate and unclear — the skill should declare how Google Workspace auth is provided (env vars, token files, OAuth client config, etc.).
Persistence & Privilege
The skill does not request always:true and does not indicate modifying other skills or system-wide settings. The only persistence-related concern is the instruction to create or read ../gws-shared/SKILL.md, which could write or read auth/config files, but the skill itself does not claim permanent elevated privileges.
What to consider before installing
This skill appears to be a thin wrapper around a 'gws' CLI for Google Slides, which is reasonable — but it defers authentication to a sibling file (../gws-shared/SKILL.md) that is not included. Before installing or enabling it: 1) Ask the publisher where authentication is stored and request explicit documentation of required env vars or token files. 2) Locate and inspect the referenced ../gws-shared/SKILL.md (or any generated files) to confirm they don't expose credentials or write to broad locations. 3) Verify the provenance of the 'gws' binary you will run (official distribution, path, version). 4) If you must allow the skill to run autonomously, consider limiting it to a test account or workspace until you confirm the auth flow and file locations. If the publisher cannot provide the missing shared SKILL.md or clear auth details, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
CLI help (from plugin)
gws slides --help

Runtime requirements

Binsgws
latestvk97bmn8ax0mag1pej44rysp2xn83ypjg
540downloads
0stars
13versions
Updated 7h ago
v1.0.12
MIT-0
@googleworkspace-bot
latest
Download

slides (v1)

PREREQUISITE: Read ../gws-shared/SKILL.md for auth, global flags, and security rules. If missing, run gws generate-skills to create it.

gws slides <resource> <method> [flags]

API Resources

presentations

  • batchUpdate — Applies one or more updates to the presentation. Each request is validated before being applied. If any request is not valid, then the entire request will fail and nothing will be applied. Some requests have replies to give you some information about how they are applied. Other requests do not need to return information; these each return an empty reply. The order of replies matches that of the requests.
  • create — Creates a blank presentation using the title given in the request. If a presentationId is provided, it is used as the ID of the new presentation. Otherwise, a new ID is generated. Other fields in the request, including any provided content, are ignored. Returns the created presentation.
  • get — Gets the latest version of the specified presentation.
  • pages — Operations on the 'pages' resource

Discovering Commands

Before calling any API method, inspect it:

# Browse resources and methods
gws slides --help

# Inspect a method's required params, types, and defaults
gws schema slides.<resource>.<method>

Use gws schema output to build your --params and --json flags.

Comments

Loading comments...