ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

gogcli - Google Workspace CLI

v1.0.0

Command-line tool to manage Google Workspace services including Gmail, Calendar, Drive, Sheets, Docs, Slides, Contacts, Tasks, People, Groups, and Keep.

6· 8.3k·97 current·100 all-time
byluccasveg@luccast
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and runtime instructions align: SKILL.md documents a Google Workspace CLI, how to install it (brew or build from GitHub), how to provision OAuth client credentials, and example commands for Gmail/Drive/Calendar/etc. There are no unrelated credential or binary requirements.
Instruction Scope
Instructions stay within the scope of installing and using a CLI to access Google Workspace: they reference only the OAuth client JSON (~/Downloads) and the tool's config directory (~/.config/gog). There are no instructions to read unrelated system files or exfiltrate data to unexpected endpoints. The use of a localhost redirect (http://localhost:8085/callback) is normal for desktop OAuth flows.
Install Mechanism
The SKILL.md recommends installing from a third-party Homebrew tap (steipete/tap/gogcli) or cloning https://github.com/steipete/gogcli and running make. That is expected for a CLI but means you will be installing/running third-party code — review the repository and release source before installing.
Credentials
The skill declares no environment variables, which is consistent with the instructions. It does require creating Google OAuth client credentials and will store tokens under ~/.config/gog. OAuth tokens can grant broad access depending on scopes requested, so the credential request is proportional but sensitive.
Persistence & Privilege
The skill does not request always:true or other elevated platform privileges. The only persistent artifact mentioned is the tool's credential storage in ~/.config/gog, which is standard for a CLI managing OAuth tokens.
Assessment
This SKILL.md is coherent for a Google Workspace CLI, but before installing or following its steps: 1) Verify the upstream project (https://github.com/steipete/gogcli and the steipete Homebrew tap) — check stars, commits, releases, and README to ensure you trust it. 2) When creating OAuth credentials, restrict scopes to the minimum needed and use a project you control; understand that access tokens grant the tool access to your Gmail/Drive/Calendar depending on scopes. 3) Be cautious building and running third-party code (make/sudo make install) — review source or use official releases. 4) Know where tokens are stored (~/.config/gog) and how to revoke access in Google Cloud Console if needed. If you want a higher-assurance path, prefer official Google tools or well-audited third-party clients.

Like a lobster shell, security has layers — review code before you run it.

latestvk978watwr624cwr1yd9m7ybyyx7zwg5t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments