XferOps gog
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: xferops-gog Version: 0.1.1 The skill bundle provides instructions for installing and using the `gog` command-line tool, a legitimate utility for interacting with Google Workspace services. All commands and setup instructions described in `SKILL.md` are aligned with the stated purpose of managing Gmail, Calendar, Drive, Contacts, Sheets, and Docs. There is no evidence of intentional harmful behavior, such as data exfiltration to unauthorized endpoints, backdoor installation, or prompt injection designed to manipulate the agent into malicious actions. The installation method uses `brew` from a specified formula, which is a standard package manager approach. While the `gog` tool itself has powerful capabilities (e.g., sending emails, saving attachments), the skill bundle merely documents these legitimate functions without directing them towards malicious ends.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized broadly, the CLI may be able to read or modify email, calendar, files, contacts, documents, and spreadsheets for the chosen account.
The skill requires Google OAuth authorization across multiple Workspace services, which is expected for its purpose but grants meaningful account access.
Requires OAuth setup... `gog auth add you@gmail.com --services gmail,calendar,drive,contacts,docs,sheets`
Review the OAuth consent screen and scopes, use the least-privileged account practical, and revoke access when no longer needed.
A mistaken or over-eager agent action could send messages, change calendars, or delete spreadsheet content.
The documented commands include mutating actions such as sending email, creating calendar events, and clearing spreadsheet ranges. These are purpose-aligned but high-impact if run incorrectly.
`gog gmail send ...`; `gog calendar create ...`; `gog sheets clear <sheetId> "Tab!A2:Z"`
Require explicit user confirmation before any send, create, update, append, clear, copy, or other mutating operation, and verify recipients, IDs, and ranges first.
Anyone with access to the relevant shell profile, service file, logs, or process environment may gain information useful for accessing stored gog credentials.
The headless setup suggests storing a keyring password in shell or systemd environment configuration, which is a sensitive local credential-handling pattern.
On headless machines... `export GOG_KEYRING_PASSWORD=your-password` ... `Environment=GOG_KEYRING_PASSWORD=your-password`
Use a protected secret store where possible, restrict file permissions, avoid shared machines for this setup, and do not commit these settings to source control.
The behavior and security of the installed gog executable depend on the external Homebrew tap and upstream project.
The skill installs and relies on an external Homebrew-provided binary rather than code included in the artifact set. This is normal for a CLI wrapper but shifts trust to that package source.
brew | formula: steipete/tap/gogcli | creates binaries: gog
Verify the gog project and Homebrew formula source, install from trusted channels, and keep the CLI updated.