v1.0.1

Gws Skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:25 AM.

Analysis

This is a clearly disclosed Google Workspace investigation skill, but it grants very broad domain-wide delegated access to read users’ email, files, calendars, contacts, and audit data, with a misleading read-only claim around Vault authority.

GuidanceReview this carefully before installing. It appears designed for legitimate Google Workspace administration and investigations, but it should only be used by authorized Workspace administrators with a tightly scoped service account, minimal OAuth scopes, protected key storage, and clear approval/audit procedures for any query that reads full email, documents, files, calendars, or contacts.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Read-only access — no write scopes are granted ... vault.py — Email Investigation ... Creates temporary matter → runs query → returns results → auto-deletes matter ... --export

The skill claims no write scopes are granted, but its own Vault workflow describes creating and deleting matters and exporting results, which can make the authority sound narrower than it is.

User impactAn administrator may underestimate the Vault permissions being granted and the administrative changes the tool can make to conduct searches or exports.

RecommendationClarify the Vault permission model, document that Vault operations may create/delete matters or exports, and prefer readonly Vault scopes where feasible.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/gmail.py

elif args.mode == "full":
            result = search_and_read(args.user, args.query, args.max)

The Gmail tool can return full message contents for an impersonated user; this is purpose-aligned, but it is a high-sensitivity action without a built-in confirmation or narrowing control in the script.

User impactA mistaken or overly broad query could expose full private email contents to the agent session.

RecommendationRequire explicit user confirmation for full-content reads, keep summary mode as the default, cap result counts, and log who requested each full-content access.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

requirements.txt

google-auth
google-auth-httplib2
google-api-python-client

The dependencies are relevant to the skill, but they are unpinned, so future installs could receive different package versions.

User impactDependency behavior could change over time if packages update or if an installation environment resolves unexpected versions.

RecommendationPin dependency versions and use a lockfile or trusted package mirror for repeatable installs.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

GCP service account JSON key with domain-wide delegation. Grants read-only access to Gmail, Vault, Drive, Calendar, Sheets, Docs, Directory, Reports, and People APIs for any user in the Google Workspace domain.

Domain-wide delegation for any user in the domain gives the skill very broad delegated authority over sensitive organizational data, even if intended for admin investigations.

User impactInstalling and authorizing this skill could let the agent access private email, files, calendars, contacts, directory data, and audit logs for users across the organization.

RecommendationUse only with a dedicated service account, the minimum OAuth scopes needed, strict admin approval, audit logging, and clear internal authorization rules for which users and data may be queried.