Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Drive
v1.0.0Access and manage Google Drive files, folders, metadata, uploads, downloads, and sharing via the Google Drive API with OAuth authentication.
⭐ 0· 22·0 current·0 all-time
byOtman Heddouch@otman-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described capability (manage Google Drive) aligns with the cURL examples that call a Maton-managed Google Drive gateway (gateway.maton.ai). However the skill metadata declares no required credentials or primary credential even though the runtime instructions explicitly require MATON_API_KEY and Maton connection management — this is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to: set and send MATON_API_KEY; call gateway.maton.ai for Drive API operations; call ctrl.maton.ai to create/list/delete 'connections' (which likely manage OAuth links to user Google accounts); and optionally include a Maton-Connection header. These instructions send potentially sensitive Drive data and connection management to a third party (maton.ai). The instructions do not reference other local files or environment variables, but they do require a secret that is not declared in the skill manifest.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. That lowers some risk, but it does not eliminate the risk of network calls described in SKILL.md.
Credentials
The runtime examples require MATON_API_KEY (an API key/token) but the skill's metadata lists no required env vars or primary credential. Requesting an API key that grants access to a third‑party gateway which can access your Google Drive is a high‑sensitivity operation and should be explicitly declared. The skill also encourages creating/using 'connections' that likely grant OAuth access to Google accounts — this is powerful access and should be justified and visible in the metadata.
Persistence & Privilege
always is false and the skill is user-invocable; model invocation is allowed (normal). Note: because the skill will use a sensitive API key and can be invoked autonomously, there is an increased blast radius if you grant a key — verify trust in the Maton gateway before enabling autonomous use.
What to consider before installing
Key points before installing: (1) The SKILL.md requires a MATON_API_KEY and uses maton.ai gateways to access Google Drive and to create/manage OAuth 'connections' — you must trust maton.ai to handle your Drive data and connection tokens. (2) The skill metadata does not declare any required credentials or link to source/homepage; this mismatch is a red flag — ask the publisher for a source repo, privacy/security documentation, and an explanation for the missing declared env var. (3) Prefer official Google Drive integrations or skills from known publishers; if you do use this skill, restrict the MATON_API_KEY to minimal scopes, store it securely, and avoid enabling autonomous invocation unless you fully trust the provider. (4) If you need help vetting the Maton service, request its homepage, documentation, and terms of service and verify that it is an appropriate intermediary for your data.Like a lobster shell, security has layers — review code before you run it.
latestvk978wt82bmwfbpbg113x4e5xkn84dzan
License
MIT-0
Free to use, modify, and redistribute. No attribution required.