Gog Skill
ReviewAudited by ClawScan on May 17, 2026.
Overview
The skill is coherent for Google Workspace automation, but it grants ongoing Google account access and documents destructive or mutating commands without clear approval rules for all of them.
Install only if you trust the gog CLI source and are comfortable granting this skill OAuth access to the connected Google account. Use the narrowest account and scopes possible, and require explicit confirmation before any command that sends, creates, updates, appends, clears, copies, or otherwise changes Google Workspace data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could modify or clear spreadsheet data without the user being clearly prompted to approve that specific high-impact action.
The skill documents noninteractive scripting and data-changing or destructive Sheets commands, but the explicit confirmation reminder only covers mail and events, not all mutating operations.
For scripting, prefer `--json` plus `--no-input`. ... Sheets update ... Sheets append ... Sheets clear ... Confirm before sending mail or creating events.
Require explicit user confirmation before any mutating Google Workspace action, especially sending mail, creating calendar items, updating/appending Sheets, clearing ranges, copying Docs, or changing Drive content.
Whoever can use the configured skill may access the connected Google account according to the token's granted services and scopes.
The skill persists a Google refresh token for ongoing delegated account access. This is expected for the integration, but it is sensitive authority.
Setup imports the refresh-token payload from `MAVERICK_GOG_TOKEN_IMPORT_JSON_B64`. ... normal `gog` commands refresh short-lived Google access tokens on demand from the stored refresh token.
Use a dedicated least-privilege Google account or token, restrict OAuth scopes where possible, rotate credentials regularly, and revoke the token if the skill is no longer needed.
The installed gog binary will handle Google credentials and account operations, so trust in the Homebrew tap and package source is important.
The skill depends on an external Homebrew tap to install the CLI. That is normal for this type of skill, but the binary provenance matters because it receives OAuth credentials.
brew | formula: steipete/tap/gogcli | creates binaries: gog
Verify the gog project and Homebrew tap before installation, and prefer pinned or audited versions in sensitive environments.