ClawHub

Google Gog

v1.0.0

OAuth token refresh management for Google APIs via gog CLI.

0· 782·4 current·4 all-time
by@herry3zz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to manage Google OAuth tokens via the 'gog' CLI, which is a coherent purpose, but the registry metadata declares no required binaries, env vars, or config paths. The SKILL.md clearly expects the 'gog' binary, a credentials file (~/.openclaw/credentials/client_secret.json), and a keyring backend — these are missing from the declared requirements.
!
Instruction Scope
The runtime instructions tell the agent/user to run gog commands that will read a local credentials file and to export GOG_KEYRING_PASSWORD for headless operation. Those instructions reference reading local config and setting secret-bearing env vars that are outside the declared scope. The SKILL.md also hardcodes a specific email account (xtyherry@gmail.com), which is unexpected and could mislead users into reusing someone else's identity or credentials.
Install Mechanism
There is no install spec (instruction-only), which reduces the risk of arbitrary code being downloaded. However, this also means the skill implicitly depends on the host having the 'gog' CLI and a keyring available — dependencies that should be declared but are not.
!
Credentials
The SKILL.md instructs exporting GOG_KEYRING_PASSWORD and references a credentials JSON path, but the metadata lists no required env vars or config paths. Requesting a password via environment and recommending a file keyring backend (GOG_KEYRING_BACKEND=file) can expose secrets if not used carefully; these sensitive requirements should be explicitly declared and justified.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It instructs storing tokens in the OS keyring (normal for credential tools) and does not ask to modify other skills or global agent settings.
What to consider before installing
This skill's instructions expect you to already have the 'gog' CLI, a client_secret.json at ~/.openclaw/credentials, and to set a keyring password via GOG_KEYRING_PASSWORD, but none of those are listed in the metadata — that's the main inconsistency. Before installing or running commands: 1) Verify the origin and integrity of the gog CLI binary (don't run unknown binaries). 2) Replace the hardcoded email and credentials path with your own account and your own client_secret.json; do not use the embedded account. 3) Avoid exporting secrets in plaintext environment variables when possible; prefer native OS keyrings and documented secure workflows. 4) Confirm what 'gog' does with stored tokens (network endpoints it contacts) to ensure no unexpected exfiltration. 5) Ask the skill author to update the metadata to declare required binaries, config paths, and env vars (or provide an installer) so you can audit dependencies. If you can't verify these points, run the tool in a sandboxed or isolated environment rather than on production data.

Like a lobster shell, security has layers — review code before you run it.

latestvk979ddt7qtmjj8nd528cbd9p0h81xddm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments