ClawHub

Gog Jasmine

v1.0.0

Google Workspace CLI for Gmail, Calendar, Drive, Contacts, Sheets, and Docs.

0· 907·2 current·3 all-time
by@jasminehuang98613·fork of @steipete/gog (1.0.0)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: SKILL.md only instructs use of the 'gog' CLI for Gmail/Calendar/Drive/Contacts/Sheets/Docs and OAuth setup, which is coherent with a Google Workspace CLI.
Instruction Scope
Instructions only reference the 'gog' binary, an OAuth client_secret.json, optional GOG_ACCOUNT, and typical commands (search, send, export, etc.). They do not instruct reading unrelated files, exfiltrating data, or contacting unknown endpoints.
Install Mechanism
Install uses a Homebrew formula from the third-party tap 'steipete/tap/gogcli'. Homebrew formulas can execute arbitrary code at install time and a third-party tap is less authoritative than an official package; this increases supply-chain risk but is not unusual for CLI tools.
Credentials
No required environment variables or external secrets are declared. The OAuth client_secret.json and optional GOG_ACCOUNT are expected and proportional for a Google Workspace CLI.
Persistence & Privilege
Skill does not request always:true, does not require config paths, and is invocation-limited by default. Autonomous model invocation is allowed but that's the platform default and not by itself a red flag.
Scan Findings in Context
[metadata.ownerId_mismatch] unexpected: Registry metadata lists ownerId 'kn70w7wx43p52z66v9j5nfgg5580tg1y' but _meta.json contains ownerId 'kn70pywhg0fyz996kpa8xj89s57yhv26'. This provenance mismatch could indicate packaging error, copy/paste, or tampering of the metadata and warrants verification.
What to consider before installing
This skill appears to be a straightforward wrapper around a 'gog' CLI, but verify the source before installing. Steps to consider: - Confirm the Homebrew tap 'steipete/tap/gogcli' and inspect the formula (and its GitHub repo) to see what it installs and whether it runs scripts during install. - Verify the homepage (https://gogcli.sh) and the publisher identity; resolve the ownerId mismatch in _meta.json with the publisher if possible. - If you install, prefer doing so on a non-critical machine or in a container/VM first to observe behavior. - Keep the OAuth client_secret.json and account tokens private; the skill rightly requires OAuth credentials—only supply your own Google OAuth client secrets and authorize scopes you trust. - If you need higher assurance, obtain the 'gog' binary source code or prebuilt release from an official GitHub release and verify checksums before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f9epk29bfnpvt01g0p0v6rd81e7p3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎮 Clawdis
Binsgog

Install

Install gog (brew)
Bins: gog
brew install steipete/tap/gogcli

Comments