Back to skill

Security audit

Google Workspace

Security checks across malware telemetry and agentic risk

Overview

This Google Workspace skill is mostly coherent, but needs Review because setup weakens Google account protections and installs an unpinned executable while handling sensitive Workspace access.

Install only after reviewing the trust boundary. Prefer a dedicated low-privilege Google account or Workspace project, keep services in off or readonly mode unless writes are required, avoid using this with Advanced Protection accounts if it requires unenrollment, and pin plus verify the release binary before placing it in the OpenClaw bin directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no explicit permissions while requiring sensitive environment variables, downloading and installing a binary, and depending on network access. This creates a transparency and governance gap: operators may approve or run the skill without understanding that it can access OAuth credentials and communicate externally. In the context of a Google Workspace integration, the mismatch is more dangerous because the token can expose email, contacts, calendar, drive, docs, and sheets data depending on configured scopes.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The top-level Drive command is explicitly described as read-only, but the file also exposes mutating operations that create comments and replies when Drive is configured in readwrite mode. This is dangerous because users, operators, or higher-level agents may rely on the command description for safety guarantees and unintentionally invoke a capability that modifies external data in Google Drive.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation instructs operators to manually copy the OAuth authorization code from the browser URL, but does not warn that this code is a sensitive credential that should not be logged, pasted into chats, or shared with other tools. In an agent/CLI environment, users may paste terminal history, screenshots, or full URLs into untrusted contexts, which can enable session hijacking or unauthorized token issuance if the code is still valid.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The file enumerates required environment variables including the token encryption passphrase and OAuth client credentials, but does not clearly label them as secrets or provide handling guidance. This increases the chance that operators will expose them through shell history, process listings, debug output, shared `.env` files, or source control, which could lead to credential theft and compromise of Google Workspace access.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The README explicitly instructs operators to temporarily disable Google Advanced Protection to complete OAuth authentication. This weakens an account-level security control protecting against phishing and malicious app authorization, and creates a window where a hostile or compromised environment could obtain long-lived Google access. In this skill’s context, the danger is elevated because the agent environment is acknowledged as potentially hostile and the token persists after re-enrollment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.