sdfsdfsd
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a plausible Google Workspace CLI wrapper, but it asks for broad Google account access and includes write/delete commands without fully clear credential and approval boundaries.
Only install this if you are comfortable granting a CLI access to the selected Google Workspace services. Review OAuth scopes, use the narrowest account and permissions possible, and manually approve any action that sends email or changes Google data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may grant the CLI access to email, calendar, files, contacts, spreadsheets, and documents for the selected Google account.
The skill requires delegated Google OAuth access across Gmail, Calendar, Drive, Contacts, Sheets, and Docs, while the supplied registry metadata lists no primary credential. This is purpose-aligned but high-impact and under-declared.
Requires OAuth setup. ... `gog auth add you@gmail.com --services gmail,calendar,drive,contacts,sheets,docs`
Use a dedicated or least-privileged Google account where possible, review the OAuth consent scopes carefully, and revoke access if you stop using the skill.
If invoked without careful review, the agent could send messages or modify spreadsheet data in a connected Google account.
The instructions expose mutating Google Workspace operations, including email sending and spreadsheet modification/clearing. The confirmation guidance is partial and does not explicitly cover all write/delete-style commands.
`gog gmail send --to a@b.com --subject "Hi" --body "Hello"` ... `gog sheets update ...` ... `gog sheets append ...` ... `gog sheets clear <sheetId> "Tab!A2:Z"` ... `For scripting, prefer --json plus --no-input.` ... `Confirm before sending mail or creating events.`
Require explicit user approval for every send, create, update, append, clear, copy, or other write operation, and prefer read-only OAuth scopes until write access is necessary.
Security depends on the upstream Homebrew package and gog CLI implementation, especially because it will handle OAuth tokens and Google data.
The reviewed skill is instruction-only and relies on an external Homebrew formula for the executable. This is central to the stated purpose, but the executable code was not included in the provided artifacts.
brew | formula: steipete/tap/gogcli | creates binaries: gog
Verify the upstream project and formula before installing, keep it updated from a trusted source, and review gog's documentation for credential storage and revocation.