ClawHub

Google Cloud STS

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-built for Google Cloud token exchange, but it can mint and return a raw cloud access token with broad activation and limited handling guidance.

Install only if you intentionally want an agent to obtain Google Cloud federated access tokens through your OOMOL connection. Treat returned tokens as secrets, avoid logging or pasting them into unrelated tools, and verify the Google Cloud scopes, target project, and intended use before running the action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation condition is overly broad: it instructs the agent to use this skill for ANY Google Cloud STS request, without limiting by user intent, sensitivity, or task type. In context, this is more dangerous because the only exposed action mints a Google Cloud access token, so an overbroad trigger can cause unnecessary or premature credential retrieval for loosely related requests.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly states it will return a Google Cloud access token, but provides no warning about treating the token as sensitive, minimizing logging, or avoiding accidental disclosure. In an agent/tooling context, that omission increases the chance the credential will be printed, stored in chat history, or reused unsafely, which can enable unauthorized access to Google Cloud resources.

Credential Access

High
Category
Privilege Escalation
Content
# Google Cloud STS · `get_federated_access_token`

Exchange the connected OOMOL OIDC token with Google Cloud Workload Identity Federation and return a Google Cloud access token.

- **Service**: `gcloud_sts`
- **Action**: `get_federated_access_token`
Confidence
91% confidence
Finding
access token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal