Google Photos Manager for OpenClaw

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Google Photos command-line helper, but it needs Google OAuth access and can upload selected local files.

Install only if you are comfortable granting a local script access to your Google Photos account. Use your own Google OAuth credentials, review the consent screen scopes, upload only intended files, keep credentials.json and token.pickle private, and revoke the app's Google access when you no longer need it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: OAuth credentials are serialized with pickle and written to disk without warning the user about local token storage or protecting the file. A locally accessible token file can grant unauthorized access to the user's Google Photos account data and actions if the host is shared or compromised.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code reads arbitrary local files and uploads their contents to Google Photos without an explicit user-facing disclosure at the upload path. In an agent-skill context, that increases the risk of unintended exfiltration of sensitive local images or mis-selected files if invocation parameters are influenced by another component.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal