ClawHub

Google Drive

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Google Drive helper, but it deserves review because it can use broad long-lived Google credentials and the credential/scope boundaries are not tightly constrained.

Install only if you are comfortable giving an agent Drive access for the selected account. Prefer one auth mode, use a dedicated least-privileged Google account or service account, avoid domain-wide delegation unless required, and confirm the target account, folder, and filename before uploads or folder creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'req' from os.environ.get (line 120, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
method="POST",
    )
    try:
        with urllib.request.urlopen(req) as resp:
            data = json.loads(resp.read().decode("utf-8"))
    except urllib.error.HTTPError as exc:
        detail = exc.read().decode("utf-8", "replace")
Confidence
81% confidence
Finding
with urllib.request.urlopen(req) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises powerful capabilities—environment variable access, file read/write, network access, and shell execution—yet does not declare explicit permissions. This creates a transparency and policy-enforcement gap: users or orchestrators may grant or invoke the skill without understanding that it can access credentials and move data to external services.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill description says it accesses Google Drive, but the code also supports creating folders and uploading content. This capability expansion matters in an agent setting because users or operators may grant the skill trust assuming read-oriented access, while it can also modify remote data and potentially overwrite workflows or plant content in shared drives.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest describes authentication via service-account JSON or refresh token, but the CLI also permits arbitrary scope selection and delegated subject impersonation. In an agent environment, undisclosed auth flexibility can let callers escalate privileges far beyond expected Drive access and act as another user when domain-wide delegation is enabled.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The tool allows callers to set any OAuth scope through --scope, while defaulting to broad full-drive access. In a skill context, this is more dangerous because an LLM agent or untrusted caller could request broader Google scopes than intended, turning a Drive helper into a more general privileged Google API token minting primitive.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The optional delegated user email enables impersonation via the sub claim when service accounts are configured with domain-wide delegation. This substantially increases risk because the tool may act as arbitrary users in a Google Workspace domain, which is far more sensitive than ordinary Drive API access and is not clearly disclosed by the skill description.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal