Gmail OAuth Setup
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized, gog can access the selected Gmail account with read, send, delete, and label-management permissions until the token is revoked.
The helper requests Gmail modify access and imports a refresh token into gog, creating persistent delegated Gmail access.
SCOPE="https://www.googleapis.com/auth/gmail.modify" ... "refresh_token": "${refresh_token}" ... gog auth tokens import "$token_file"Use the least-privileged Gmail scope that works for your use case, authorize only accounts you intend to connect, and revoke the token from your Google Account if you no longer need it.
The OAuth flow relies on the behavior and security of the installed gog CLI.
The skill depends on an external CLI installed outside the skill package; this is disclosed, but users must trust that dependency and source.
`gog` CLI installed (`brew install steipete/tap/gogcli`)
Install gog only from a trusted source, verify the project and package before use, and keep it updated.
A user who proceeds with the wrong OAuth app could grant Gmail access to an untrusted Google Cloud project.
The instructions tell users how to proceed past Google's warning; this is reasonable for a personal OAuth app but should not be followed for an app the user does not control.
"Google hasn't verified this app" ... "Go to [app name] (unsafe)" ... "Safe to proceed since you own the app."
Only bypass the warning when you created and control the Google Cloud OAuth client and have verified the app name, client, and requested scopes.