Gmail OAuth Setup
PassAudited by ClawScan on May 10, 2026.
Overview
This skill transparently helps set up Gmail OAuth for the gog CLI, but users should understand it grants persistent Gmail account access.
Before installing, make sure you trust the gog CLI source, use a Google Cloud OAuth client you created, review the requested Gmail scope, and understand that a refresh token will be stored for ongoing Gmail access. Use a narrower scope such as gmail.readonly when possible and revoke the token later if access is no longer needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized, gog can access the selected Gmail account with read, send, delete, and label-management permissions until the token is revoked.
The helper requests Gmail modify access and imports a refresh token into gog, creating persistent delegated Gmail access.
SCOPE="https://www.googleapis.com/auth/gmail.modify" ... "refresh_token": "${refresh_token}" ... gog auth tokens import "$token_file"Use the least-privileged Gmail scope that works for your use case, authorize only accounts you intend to connect, and revoke the token from your Google Account if you no longer need it.
The OAuth flow relies on the behavior and security of the installed gog CLI.
The skill depends on an external CLI installed outside the skill package; this is disclosed, but users must trust that dependency and source.
`gog` CLI installed (`brew install steipete/tap/gogcli`)
Install gog only from a trusted source, verify the project and package before use, and keep it updated.
A user who proceeds with the wrong OAuth app could grant Gmail access to an untrusted Google Cloud project.
The instructions tell users how to proceed past Google's warning; this is reasonable for a personal OAuth app but should not be followed for an app the user does not control.
"Google hasn't verified this app" ... "Go to [app name] (unsafe)" ... "Safe to proceed since you own the app."
Only bypass the warning when you created and control the Google Cloud OAuth client and have verified the app name, client, and requested scopes.