ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tmp

v1.0.1

Google Workspace CLI for Gmail, Calendar, Drive, Contacts, Sheets, and Docs.

0· 1.1k·4 current·4 all-time
by@jambo-jet-love·fork of @steipete/gog (1.0.0)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's description and top-level SKILL.md match a Google Workspace CLI (gog/gogcli) and the install spec (brew steipete/tap/gogcli) aligns with that purpose. However: the package root/manifest and registry metadata are inconsistent (skill name/slug 'Tmp' vs. repo content for 'gogcli'), and the bundle also includes a separate gmail/SKILL.md that documents use of a third-party Maton API gateway — a capability not reflected in the top-level requirements or primary description. The brew install and required 'gog' binary are proportionate to the stated CLI purpose.
!
Instruction Scope
The top-level SKILL.md instructs normal gog CLI usage and local OAuth credential setup. But the included gmail/SKILL.md instructs users to set MATON_API_KEY and to call https://gateway.maton.ai and https://ctrl.maton.ai (including code samples that read os.environ['MATON_API_KEY']). That pulls user credentials/API keys to a third-party gateway and directs network traffic away from googleapis.com to maton.ai. This instruction accesses an environment variable (MATON_API_KEY) which is not declared in the skill's declared requires.env and represents scope creep from a local OAuth CLI to a managed gateway flow.
Install Mechanism
The install entry is a Homebrew formula (steipete/tap/gogcli), which is a typical and low-risk install mechanism for a CLI. The code files are the full gogcli repository (many source files) rather than a hidden script or remote download. No high-risk arbitrary URL downloads or URL shorteners are used in the install spec.
!
Credentials
The top-level metadata declares no required env vars, which fits a user-invoked CLI that manages OAuth locally. But the included gmail subdocument requires MATON_API_KEY and shows code that will send that API key to maton.ai endpoints. Requesting an API key for a third-party gateway is not proportional to the stated local CLI purpose and is not declared in the skill's requires.env. This is an unexpected credential request and worth caution.
Persistence & Privilege
The skill does not request always:true and uses the normal user-invocable/autonomous-invocation defaults. The included CLI stores OAuth tokens in OS keyring/config — expected behavior for a CLI. The package does not declare changes to other skills or system-wide settings beyond normal keyring/config writes.
What to consider before installing
This package largely looks like the open-source gogcli CLI (Homebrew formula + source files) — installing that CLI via the referenced Homebrew tap is consistent with the skill's top-level purpose. However, the bundled gmail documentation also describes using a Maton-managed gateway and asks you to set MATON_API_KEY and call maton.ai endpoints. That is not declared in the skill's top-level requirements and would route Google API calls (and effectively your access tokens) through a third party. Before installing or providing any API key: - Decide whether you want a local OAuth flow (gog auth credentials + gog auth add) or to use a managed gateway. If you want local-only, ignore MATON_API_KEY and follow the gog auth instructions. - Do NOT set MATON_API_KEY or paste secrets unless you trust maton.ai. Verify the Maton service, its privacy/security policies, and whether you intended to delegate API traffic to that provider. - Confirm the Homebrew tap origin: brew tap steipete/tap is cited; verify the tap points to the expected GitHub repo (steipete/gogcli) and the formula's URL/sha256 before installing. - The package metadata/slug (Tmp) and included _meta.json differ from the registry metadata; this mismatch is a red flag — confirm the publisher identity and that you pulled the package from a trusted source. - If you need stricter isolation, install and run the CLI in a disposable environment (VM/container) and inspect network traffic, or build from source after reviewing the repository on GitHub. If you want, I can: list the specific lines in gmail/SKILL.md that reference MATON_API_KEY and maton.ai, or help craft a safe installation checklist (brew tap verification and building from source).

Like a lobster shell, security has layers — review code before you run it.

latestvk977a5m3vq8twtedm4kvagpyjs81e8h6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎮 Clawdis
Binsgog

Install

Install gog (brew)
Bins: gog
brew install steipete/tap/gogcli

Comments