ClawHub

Gmail OAuth Setup

v1.0.0

Set up Gmail API access via gog CLI with manual OAuth flow. Use when setting up Gmail integration, renewing expired OAuth tokens, or troubleshooting Gmail authentication on headless servers.

7· 3.6k·21 current·21 all-time
by@kai-jar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and the included script legitimately implement a headless Gmail OAuth flow for use with the gog CLI. However, the registry metadata claims no required binaries/env vars/config paths while the SKILL.md and script clearly require the gog CLI, python3, curl, and a gog credentials file at ~/.config/gogcli/credentials.json. That metadata omission is inconsistent and should have been declared.
Instruction Scope
SKILL.md instructions remain within the stated purpose: guide creation of Google Cloud credentials, generate an auth URL, exchange the code for tokens, and import tokens into gog. The script reads the local gog credentials file and exchanges codes with Google's OAuth token endpoint. It does not contact unknown third-party endpoints or attempt to read unrelated system state.
Install Mechanism
There is no install spec (instruction-only), which is the lowest-risk install model. The README suggests installing gog via brew but the skill does not automatically fetch or execute remote code beyond the provided script.
!
Credentials
The registry declares no required env vars, yet the SKILL.md and script rely on GOG_KEYRING_PASSWORD (optional, but used for non-interactive import) and expect gog credentials in ~/.config/gogcli/credentials.json. The script also assumes python3 and curl exist. Sensitive items (a keyring password) are encouraged to be exported to shell rc files in the documentation — that is a security practice concern and should have been explicitly declared in metadata.
Persistence & Privilege
The skill does not request persistent platform privileges (always:false), does not modify other skills or system-wide agent settings, and does not attempt to self-enable or store credentials beyond importing tokens into the user's gog keyring (expected behavior for the stated purpose).
What to consider before installing
This skill appears to do what it claims: it helps perform a headless Gmail OAuth flow and imports refresh tokens into the gog CLI. Before installing or running it: 1) Inspect the provided script yourself (or have someone you trust do so) — the source is 'unknown'. 2) Ensure you have the required binaries (gog, python3, curl) even though the registry metadata doesn't list them. 3) Prefer entering GOG_KEYRING_PASSWORD interactively rather than putting it in .bashrc; if you must store it, use a secure secret store, not plaintext in shell rc files. 4) Confirm ~/.config/gogcli/credentials.json is your own downloaded client_secret JSON (do not run the script with credentials from untrusted sources). 5) Run the script in an isolated environment (temporary VM/container) if you are unsure of the origin. If the metadata were corrected to declare required binaries, config path, and the GOG_KEYRING_PASSWORD env var, my concerns would drop and confidence would increase.

Like a lobster shell, security has layers — review code before you run it.

emailvk97fj0yea5xhbedk165m8fwngh80n2e2gmailvk97fj0yea5xhbedk165m8fwngh80n2e2gogvk97fj0yea5xhbedk165m8fwngh80n2e2googlevk97fj0yea5xhbedk165m8fwngh80n2e2latestvk97fj0yea5xhbedk165m8fwngh80n2e2oauthvk97fj0yea5xhbedk165m8fwngh80n2e2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments