Back to skill
Skillv1.0.12
ClawScan security
Recipe Bulk Download Folder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 6:36 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only recipe that simply runs the gws CLI to list and download Drive files and its requirements match that purpose.
- Guidance
- This recipe is coherent but check the following before using it: ensure the gws binary installed on your system is from a trusted source and that you have properly authenticated gws (the recipe assumes gws/gws-drive handle credentials). Be cautious when downloading an entire folder: files will be written to the agent's working directory and could overwrite local files — provide safe output filenames or an empty target directory. Confirm you have permission to access the Drive folder and that exporting/downloading these files complies with your data policies. Finally, verify the declared dependency on the gws-drive skill is available in your agent so authentication and Drive API calls work as expected.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description (bulk download from Google Drive) match the declared requirement for the gws binary and the dependent skill gws-drive. Nothing requested appears unrelated to Drive access.
- Instruction Scope
- noteThe SKILL.md only instructs the agent to run gws commands to list, download, and export files from a Drive folder — that stays within the stated purpose. Note: the recipe will download all files in a folder and writes to disk using provided output names (risk of overwriting local files); it assumes the agent/environment has valid gws authentication already.
- Install Mechanism
- okInstruction-only skill with no install spec — nothing is written to disk by the skill itself. This is the lowest-risk install model.
- Credentials
- okThe skill declares no environment variables or credentials, which is reasonable because it relies on the gws binary and the gws-drive skill to handle authentication. It does not request unrelated secrets or config paths.
- Persistence & Privilege
- okalways is false and the skill does not request permanent presence or attempt to modify other skills/configuration. Autonomous invocation is allowed by default but is not combined with other concerning privileges.