ClawHub

XferOps gog

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Google Workspace CLI helper, but installing and authorizing it can give broad access to your Google account data.

Install only if you trust the external gog CLI and Homebrew tap. Review Google OAuth scopes before approving, use the narrowest practical account and service set, avoid putting GOG_KEYRING_PASSWORD directly in shell profiles or systemd Environment lines, and confirm before any command that sends email or changes Calendar, Drive, Docs, Contacts, or Sheets data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to place `GOG_KEYRING_PASSWORD` directly in a shell profile or systemd unit as plaintext, which can expose the secret through readable config files, backups, process/environment inspection, or accidental check-in to source control. In the context of a Google Workspace CLI with broad Gmail/Drive/Docs access, compromise of the keyring password can enable theft or misuse of stored OAuth tokens.

Credential Access

High
Category
Privilege Escalation
Content
Notes

**Headless/EC2 setup:** On headless machines (no TTY), gog needs `GOG_KEYRING_PASSWORD` set:
- Add to shell profile: `export GOG_KEYRING_PASSWORD=your-password`
- Add to systemd service: `Environment=GOG_KEYRING_PASSWORD=your-password`
- Or use file keyring: `gog auth keyring file`
Confidence
95% confidence
Finding
KEYRING

Credential Access

High
Category
Privilege Escalation
Content
Notes

**Headless/EC2 setup:** On headless machines (no TTY), gog needs `GOG_KEYRING_PASSWORD` set:
- Add to shell profile: `export GOG_KEYRING_PASSWORD=your-password`
- Add to systemd service: `Environment=GOG_KEYRING_PASSWORD=your-password`
- Or use file keyring: `gog auth keyring file`
Confidence
97% confidence
Finding
KEYRING

Credential Access

High
Category
Privilege Escalation
Content
**Headless/EC2 setup:** On headless machines (no TTY), gog needs `GOG_KEYRING_PASSWORD` set:
- Add to shell profile: `export GOG_KEYRING_PASSWORD=your-password`
- Add to systemd service: `Environment=GOG_KEYRING_PASSWORD=your-password`
- Or use file keyring: `gog auth keyring file`

- Set `GOG_ACCOUNT=you@gmail.com` to avoid repeating `--account`.
Confidence
97% confidence
Finding
KEYRING

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal