Back to skill
Skillv1.0.0
ClawScan security
sdfsdfsd · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 3:41 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper that expects the gog CLI (installed from a Homebrew tap) and OAuth credentials to operate; its requirements and instructions are coherent with a Google Workspace CLI.
- Guidance
- This skill appears to be what it says: a wrapper around the 'gog' Google Workspace CLI. Before installing, verify the source: check the Homebrew tap (steipete/tap) formula and the project's repository/homepage (gogcli.sh) to confirm maintainers and review code. Be deliberate about OAuth credentials: follow least-privilege practices (create a dedicated test Google account or limited-scope client), inspect the OAuth consent/scopes requested, and do not reuse high-privilege or personal workspace credentials without reviewing the code. Because the brew formula is from a third-party tap, consider inspecting the formula (brew edit/view) or installing in a sandbox/VM first. Finally, the skill metadata contains placeholder names and an unknown registry source—that decreases signal about maintainership but does not contradict the skill's stated function; treat accordingly.
Review Dimensions
- Purpose & Capability
- noteThe description (Google Workspace CLI) matches the runtime instructions which call the gog binary. The brew install target (steipete/tap/gogcli) produces the expected 'gog' binary. Minor oddities: the skill and SKILL.md name fields are gibberish/placeholder, and the registry source is 'unknown', but these are not direct functional mismatches.
- Instruction Scope
- okSKILL.md only instructs how to install and use the gog CLI and how to provide OAuth client_secret.json and add an account for the listed Google services. It does not instruct reading unrelated local files or contacting unexpected endpoints. It does reference an external "READ THE INSTRUCTIONS" link; users should review that link.
- Install Mechanism
- noteThe install method uses a third-party Homebrew tap (steipete/tap/gogcli) to install the 'gog' binary. Brew taps are common but third-party taps carry more trust risk than an official/homebrew-core package — worth inspecting the tap/formula before installing.
- Credentials
- noteThe skill does not declare required env vars, but usage implies supplying an OAuth client_secret.json and granting access to Gmail/Calendar/Drive/Contacts/Sheets/Docs. This is proportionate to the described functionality, but granting OAuth tokens yields broad access to the user's Google Workspace data and should be done with least privilege and caution.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide or persistent privileges beyond installing/using the 'gog' CLI. Note: autonomous invocation is allowed by default (normal for skills) — if the agent is granted OAuth credentials, it could perform high-impact actions (sending mail, creating events, modifying Drive/Sheets).