ClawHub
Back to skill

Security audit

Gmail OAuth Setup

Security checks across malware telemetry and agentic risk

Overview

This skill transparently helps a user set up Gmail OAuth for the gog CLI, but it handles powerful long-lived Gmail credentials that users should protect carefully.

Install only if you are intentionally setting up Gmail access for gog and trust that CLI. Use the narrowest Gmail scope that works for your needs, avoid putting the keyring password in .bashrc when possible, protect the OAuth client secret and refresh token, and revoke the app from your Google account when you no longer need it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill recommends the broad `gmail.modify` scope as the default and suggests persisting a keyring password in shell startup files without prominently warning about the security and privacy consequences. If followed, this can grant long-lived access to read, modify, delete, and manage mail, while exposing the decryption secret to local compromise, shell history leaks, backups, or accidental disclosure.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script writes a Gmail refresh token to a temporary file in plaintext before importing it. Even though mktemp is used, the token remains on disk and could be exposed through local compromise, backups, crash artifacts, or if the script exits before cleanup, which is significant because refresh tokens enable long-lived mailbox access.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.