Skillv1.0.12

ClawScan security

Recipe Email Drive Link · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 31, 2026, 6:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The instructions, required binary, and declared dependent skills align with the stated purpose (share a Drive file and email the link); the recipe is coherent and contains no unexpected requests.
Guidance: This recipe appears coherent, but check a few practical things before installing/using it: - Confirm the gws CLI you have is from a trusted source and that you understand which Google account it's authorized to use. - Inspect the gws-drive and gws-gmail skills (the recipe depends on them) to see what credentials/scopes they require — they will control which Drive files and recipients can be accessed or emailed. - Verify the permission being granted (role/type). Avoid using broad scopes like 'anyoneWithLink' unless intended. - Double-check recipient addresses and FILE_ID before running to avoid accidental data exposure. - If you need stronger assurance, run the commands in a test account or with a non-sensitive file first. Overall: the skill does what it says, but its behavior depends entirely on the gws CLI and the referenced skills' authentication — review those before use.

Purpose & Capability: okName/description match the runtime instructions. The skill only needs the gws CLI and the gws-drive and gws-gmail recipe skills to list a file, add Drive permissions, and send an email — these are expected for the stated task.
Instruction Scope: noteSKILL.md confines actions to gws drive and gmail commands (list files, create permission, send email). It does not instruct reading local files or unrelated environment variables. Note: it assumes the referenced gws-* skills provide authentication/credentials; this recipe itself does not declare or manage those credentials.
Install Mechanism: okInstruction-only skill with no install spec and no code to write to disk — lowest install risk.
Credentials: noteThe recipe declares no environment variables itself, which is reasonable because it delegates auth to gws-drive and gws-gmail. You should verify those dependent skills' credentials and scopes (Google OAuth tokens) before use; otherwise the skill will operate with whatever account those skills are authorized for.
Persistence & Privilege: okDoes not request always:true or system-wide configuration changes. It is user-invocable and does not persist beyond executing the gws commands.