XferOps gog
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a normal Google Workspace CLI wrapper, but it can give an external CLI broad OAuth-powered access to read and change Google account data.
Before installing, verify the gog Homebrew tap and upstream project, review the OAuth scopes and account you authorize, protect any keyring password or environment settings, and require explicit confirmation before the agent sends email or changes calendar, sheet, document, or file data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized broadly, the CLI may be able to read or modify email, calendar, files, contacts, documents, and spreadsheets for the chosen account.
The skill requires Google OAuth authorization across multiple Workspace services, which is expected for its purpose but grants meaningful account access.
Requires OAuth setup... `gog auth add you@gmail.com --services gmail,calendar,drive,contacts,docs,sheets`
Review the OAuth consent screen and scopes, use the least-privileged account practical, and revoke access when no longer needed.
A mistaken or over-eager agent action could send messages, change calendars, or delete spreadsheet content.
The documented commands include mutating actions such as sending email, creating calendar events, and clearing spreadsheet ranges. These are purpose-aligned but high-impact if run incorrectly.
`gog gmail send ...`; `gog calendar create ...`; `gog sheets clear <sheetId> "Tab!A2:Z"`
Require explicit user confirmation before any send, create, update, append, clear, copy, or other mutating operation, and verify recipients, IDs, and ranges first.
Anyone with access to the relevant shell profile, service file, logs, or process environment may gain information useful for accessing stored gog credentials.
The headless setup suggests storing a keyring password in shell or systemd environment configuration, which is a sensitive local credential-handling pattern.
On headless machines... `export GOG_KEYRING_PASSWORD=your-password` ... `Environment=GOG_KEYRING_PASSWORD=your-password`
Use a protected secret store where possible, restrict file permissions, avoid shared machines for this setup, and do not commit these settings to source control.
The behavior and security of the installed gog executable depend on the external Homebrew tap and upstream project.
The skill installs and relies on an external Homebrew-provided binary rather than code included in the artifact set. This is normal for a CLI wrapper but shifts trust to that package source.
brew | formula: steipete/tap/gogcli | creates binaries: gog
Verify the gog project and Homebrew formula source, install from trusted channels, and keep the CLI updated.