Back to skill
Skillv1.0.12
ClawScan security
Recipe Create Shared Drive · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 6:36 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only recipe that simply runs the gws CLI to create a Google Shared Drive and manage permissions; its requirements and instructions are consistent with that purpose.
- Guidance
- This recipe will run your local gws CLI to create drives and add people using whatever Google credentials gws is configured with. Before using: (1) verify the gws binary is the official/trusted client and inspect how it authenticates (OAuth or service account); (2) ensure the account gws uses has only the needed Drive privileges; (3) test in a safe project or with test accounts to avoid accidentally granting access; (4) confirm email addresses and roles before executing permission changes. The skill itself contains no hidden commands or unrelated access, but the actions executed will be as powerful as the authenticated Google identity gws uses.
Review Dimensions
- Purpose & Capability
- okName/description match the actions in SKILL.md (create a Shared Drive and manage permissions). Declared requirement of the gws binary and the gws-drive skill is appropriate for a Google Workspace Drive recipe.
- Instruction Scope
- okRuntime instructions only invoke gws subcommands related to drives and permissions. They do not read unrelated files, env vars, or send data to external endpoints outside the gws tool's scope. Placeholders (e.g., DRIVE_ID) are used as expected.
- Install Mechanism
- okThere is no install spec and no code files — this is instruction-only, which is lowest-risk. The skill assumes an existing gws binary rather than downloading anything.
- Credentials
- noteThe skill itself does not declare required environment variables or credentials, but the gws binary almost certainly requires Google authentication (OAuth or service-account keys) to act on Drive. The absence of declared credentials is not necessarily malicious, but you should confirm how gws is authenticated on your system before running this recipe.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent system-wide changes or attempt to modify other skills or agent configuration.