Back to skill
Skillv1.0.0
ClawScan security
Gog 1 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 4:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only wrapper that expects a 'gog' Google Workspace CLI binary (installable via a Homebrew tap) and its runtime instructions match that purpose.
- Guidance
- This skill appears to do what it says: it expects a standalone 'gog' CLI and instructs you how to use it. Before installing, verify the Homebrew tap (steipete/tap/gogcli) and inspect the formula or the project's GitHub to confirm the binary's source. Protect your OAuth client_secret.json (store it securely), grant only needed Google API scopes, and be aware that the installed 'gog' binary will have normal filesystem and network access (it can read files you point it at and call Google APIs). If you will allow the agent to invoke the skill autonomously, consider limiting the agent's permissions or confirm prompts for sensitive actions like sending email.
Review Dimensions
- Purpose & Capability
- okThe name/description (Google Workspace CLI) match the declared requirements: the skill requires the 'gog' binary and offers commands for Gmail, Calendar, Drive, Contacts, Sheets, and Docs. Requesting a gog binary and offering a Homebrew install is appropriate for this purpose.
- Instruction Scope
- okSKILL.md only instructs the agent to run the gog CLI and perform OAuth setup (pointing to a local client_secret.json) and typical goog workspace operations. It does not ask the agent to read unrelated files, system secrets, or exfiltrate data to other endpoints. It does reference writing an exported doc to /tmp and suggests using GOG_ACCOUNT to avoid repeating --account, both expected and limited in scope.
- Install Mechanism
- noteInstallation is via Homebrew formula steipete/tap/gogcli which will create the 'gog' binary. Homebrew is a normal install path, but this is a third‑party tap (not the default Homebrew/core). Verify the tap's GitHub/repository and formula contents before installing to ensure the binary's provenance and review build/install steps.
- Credentials
- okThe skill declares no required environment variables. The runtime notes mention GOG_ACCOUNT (optional) and local OAuth client_secret.json files — these are proportional to a Google API CLI. Users should still protect OAuth client secrets and grant the minimum OAuth scopes needed.
- Persistence & Privilege
- okThe skill is not forced-always and does not request persistent system-wide configuration or other skills' credentials. Autonomous model invocation is allowed (platform default) but not excessive in this skill's metadata.