XferOps gog
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized broadly, the CLI may be able to read or modify email, calendar, files, contacts, documents, and spreadsheets for the chosen account.
The skill requires Google OAuth authorization across multiple Workspace services, which is expected for its purpose but grants meaningful account access.
Requires OAuth setup... `gog auth add you@gmail.com --services gmail,calendar,drive,contacts,docs,sheets`
Review the OAuth consent screen and scopes, use the least-privileged account practical, and revoke access when no longer needed.
A mistaken or over-eager agent action could send messages, change calendars, or delete spreadsheet content.
The documented commands include mutating actions such as sending email, creating calendar events, and clearing spreadsheet ranges. These are purpose-aligned but high-impact if run incorrectly.
`gog gmail send ...`; `gog calendar create ...`; `gog sheets clear <sheetId> "Tab!A2:Z"`
Require explicit user confirmation before any send, create, update, append, clear, copy, or other mutating operation, and verify recipients, IDs, and ranges first.
Anyone with access to the relevant shell profile, service file, logs, or process environment may gain information useful for accessing stored gog credentials.
The headless setup suggests storing a keyring password in shell or systemd environment configuration, which is a sensitive local credential-handling pattern.
On headless machines... `export GOG_KEYRING_PASSWORD=your-password` ... `Environment=GOG_KEYRING_PASSWORD=your-password`
Use a protected secret store where possible, restrict file permissions, avoid shared machines for this setup, and do not commit these settings to source control.
The behavior and security of the installed gog executable depend on the external Homebrew tap and upstream project.
The skill installs and relies on an external Homebrew-provided binary rather than code included in the artifact set. This is normal for a CLI wrapper but shifts trust to that package source.
brew | formula: steipete/tap/gogcli | creates binaries: gog
Verify the gog project and Homebrew formula source, install from trusted channels, and keep the CLI updated.