Google Gog

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a coherent Google API helper, but users should handle its OAuth and keyring setup carefully.

Install only if you trust the gog CLI workflow and are comfortable granting Google OAuth scopes for the services you plan to use. Prefer an OS-native keychain or secret manager for tokens, avoid putting long-lived keyring passwords in environment variables when possible, and keep credential files restricted to your user account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly recommends automation using a file-based keyring backend and a keyring password supplied via environment variable, but provides no warning about the security tradeoffs. Environment variables can be exposed through shell history, process inspection, CI logs, or misconfigured telemetry, and a file backend weakens protections compared to an OS-native secure keychain.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal