ClawHub

Google Workspace BYOK

Security checks across malware telemetry and agentic risk

Overview

This Google Workspace skill is mostly coherent, but it defaults to broader calendar permissions than its scripts appear to need and stores powerful OAuth tokens locally without hardening.

Install only on a trusted machine. Prefer authorizing accounts with --readonly unless you truly need Calendar write access, protect or remove the saved credentials and token files when not in use, and download attachments only from trusted messages into a dedicated temporary directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill says read-only calendar access is available, but the documented default OAuth scope is full calendar read/write. Requesting broader access than necessary violates least privilege and increases the damage possible if tokens are stolen or the tool is misused.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script requests read/write Google scopes by default unless the user explicitly passes --readonly, which violates least-privilege for a skill primarily described as reading calendars and emails. In this BYOK multi-account context, overbroad OAuth consent can grant unnecessary modification access to Gmail and Calendar data, increasing the blast radius if the skill, stored tokens, or downstream agent behavior is compromised.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The shared utility requests full calendar read/write access via the read-write scope set even though the stated primary use is reading calendars, events, and emails. This violates least-privilege and increases the blast radius if the skill, account, or stored tokens are abused, enabling event creation, modification, or deletion.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Including calendar modification capability in shared auth utilities makes it easy for downstream code to obtain broader access than the skill description appears to justify. In a BYOK multi-account email/calendar integration, excessive scopes are especially sensitive because they can affect multiple personal or business calendars if a token is misused.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill stores OAuth credentials and refresh tokens locally but does not prominently warn users about that sensitive local persistence. On shared systems or poorly secured hosts, these files could be copied and used to access Gmail and Calendar data for connected accounts.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
OAuth tokens are persisted in plaintext JSON on disk without any visible permission hardening, encryption, or disclosure in this file. If the local machine, home directory, backups, or another local process is compromised, these tokens can be reused to access Gmail and Calendar data without re-authentication.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal