Back to skill
Skillv1.0.0
ClawScan security
Google Search Console CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 6:35 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (operating and troubleshooting a local gsc CLI and guiding Google OAuth setup); no disproportionate credential or install requests were found, though the SKILL.md expects a local Python/gsc environment that the registry metadata did not explicitly declare.
- Guidance
- This skill appears to be a straightforward CLI guide for the local 'gsc' tool and Google OAuth setup. Before installing or following the instructions: 1) Confirm you intend to install the third-party pip package 'google-search-console-cli' from a source you trust (pipx pulls from PyPI by default). 2) Create and use OAuth credentials in a Google Cloud project you control, and keep the downloaded client_secret JSON private. 3) Prefer readonly scopes unless you need write actions. 4) Note the registry metadata omitted required binaries/envs — ensure you have Python, pipx or a virtualenv, and the 'gsc' command available. 5) Because the skill can be invoked by an agent, avoid supplying OAuth credentials to unknown agents; store secrets only in user-controlled locations (the default ~/.config/gsc-cli path or a path you set via env overrides).
Review Dimensions
- Purpose & Capability
- noteThe name/description match the instructions: the doc is a how-to for the gsc CLI and Google OAuth setup. Minor metadata mismatch: the skill metadata declares no required binaries or env vars, but the SKILL.md clearly expects a Python environment, the 'gsc' command, and optionally pipx/virtualenv. This is plausible (instruction-only skill) but the registry metadata is incomplete.
- Instruction Scope
- okInstructions stay within the stated scope: installing/using the gsc CLI, creating a Google OAuth desktop client, running gsc auth/login, and troubleshooting. The doc references only local config paths (~/.config/gsc-cli) and the Google Cloud Console; it does not instruct reading unrelated system files or exfiltrating secrets to third parties.
- Install Mechanism
- okThis is an instruction-only skill (no install spec). Install recommendations use pipx or pip from source — common for Python CLIs. No arbitrary download URLs or archive extraction are suggested within the skill text.
- Credentials
- okThe skill uses OAuth client JSON and stores credentials locally; it notes env overrides (GSC_CREDENTIALS_FILE, GSC_APP_CONFIG_FILE, GSC_CONFIG_DIR) which are appropriate for configuring a CLI. The skill does not request unrelated cloud credentials or wide-ranging environment secrets in its metadata.
- Persistence & Privilege
- okSkill is not always-enabled and is user-invocable; it does not request elevated or persistent platform privileges. It documents that the CLI writes credential/config files under the user's config directory, which is expected behavior for a CLI that caches OAuth tokens.