Google Pub/Sub
Security checks across malware telemetry and agentic risk
Overview
This plugin is coherent and purpose-aligned, but it uses Google credentials to consume Pub/Sub messages, so it should be configured with least-privilege access to only the intended subscriptions.
Before installing, confirm the subscription is intended for automated consumption, use a dedicated least-privilege Pub/Sub subscriber credential, avoid broad ADC credentials where possible, keep the default Google endpoint unless you trust the override, and remember that pulled messages will be acknowledged and exposed to the agent.
VirusTotal
No VirusTotal findings
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An accidental or overly broad tool call can consume messages from a subscription so they will not be redelivered.
The plugin openly discloses that pulling messages also acknowledges them, which changes Pub/Sub delivery state and can consume up to 1000 messages per invocation.
Messages are always acknowledged before the tool returns ... `max_messages` (optional, default `10`, max `1000`)
Use this only on subscriptions intended for automated agent polling, keep message limits conservative, and ensure the credential has subscriber access only where needed.
The agent can read and acknowledge any Pub/Sub subscription that the configured Google credential is allowed to access.
The plugin is designed to use Application Default Credentials or a service-account JSON file with the Pub/Sub OAuth scope.
"enum": ["adc", "service-account-json"] ... "serviceAccountJsonPath" ... "default": ["https://www.googleapis.com/auth/pubsub"]
Prefer a dedicated service account with the minimum Pub/Sub subscriber IAM permissions for the intended subscriptions, rather than broad user ADC credentials.
Using a non-Google or untrusted endpoint override could expose Google authorization headers to that endpoint.
If the endpoint override is configured, the same authenticated request headers are sent to that configured endpoint.
this.endpoint = (opts.config?.endpoint ?? DEFAULT_ENDPOINT).replace(/\/+$/, ""); ... const headers = await this.authHeaders(); ... headers: { ...headers, "content-type": "application/json" }Leave the default Pub/Sub endpoint unless using a trusted emulator or controlled test endpoint, and avoid using real credentials with untrusted custom endpoints.
Message payloads may contain sensitive or untrusted content that the agent could see or act on.
The tool returns Pub/Sub message attributes and decoded payload data into the agent context.
"messages": [ { ... "attributes": { "source": "scheduler" }, "data": "hello world", "dataEncoding": "utf8" } ]Use dedicated subscriptions for agent consumption, avoid sending secrets unless intended, and treat message payloads as data rather than instructions.