OpenClaw Google Workspace

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This appears to be a legitimate Google Workspace integration, but it grants broad Google account authority and some write-capable actions are not clearly protected by confirmation or least-privilege scopes.

Install only if you are comfortable granting this plugin access to the selected Google Workspace services. Start with Gmail, Drive, and Sheets in read-only mode, enable write access only for specific needs, verify the OAuth scopes before consenting, and protect the credentials and token files under `~/.openclaw/secrets`.

SkillSpector

By NVIDIA

SkillSpector has not run for this release. Legacy ClawScan findings remain available under Risk analysis.

Static analysis

Install untrusted source

Warn

Finding: Install source points to URL shortener or raw IP.
Skill content: "placeholder": "http://127.0.0.1:3000/oauth2callback",

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI02: Tool Misuse and Exploitation

Medium

What this means

If write mode is enabled, an agent could send email or change Workspace data through these tools without the same documented confirmation guard used for calendar changes.

Why it was flagged

The plugin exposes tools that can send messages or mutate Google Workspace data. Calendar tools document a `confirmed` parameter and preview flow, but these other write actions are only described as blocked by read-only mode, not as requiring explicit confirmation.

Skill content

`google_gmail_send` — Send an email. **Blocked in read-only mode.** ... `google_sheets_write` — Write data to a spreadsheet. **Blocked in read-only mode.** ... `google_tasks_complete` — Mark a task as completed.

Recommendation

Use read-only mode by default where possible, enable write services only when needed, and add explicit confirmation requirements for email sending, Sheets writes, Drive file creation, and Task changes.

ASI03: Identity and Privilege Abuse

Medium

What this means

Authorizing the default Gmail configuration may grant the plugin the ability to modify mailbox state beyond the user-visible Gmail tool list.

Why it was flagged

Gmail is documented as enabled by default with read-only disabled, and the read-write scope includes `gmail.modify` even though the documented Gmail tools are search, read, list, and send. That appears broader than necessary for sending email.

Skill content

| Gmail | `gmail.readonly` | `gmail.modify` + `gmail.send` | ... | `gmail` | true | false |

Recommendation

Default Gmail to read-only, request `gmail.send` separately only when sending is needed, and avoid `gmail.modify` unless mailbox modification tools are explicitly documented and user-approved.

ASI03: Identity and Privilege Abuse

Medium

What this means

Anyone or anything that can read the token file may be able to access the authorized Google services.

Why it was flagged

The plugin persistently stores and refreshes OAuth tokens for Google Workspace services. This is expected for the stated purpose and is disclosed, but it is sensitive delegated account access.

Skill content

**Token management:**
- Tokens stored securely with `chmod 600` permissions
- Auto-refresh when access token expires
- Incremental scope addition when enabling new services (`include_granted_scopes: true`)

Recommendation

Store credentials and tokens only under a protected secrets directory, keep file permissions restrictive, and revoke the OAuth grant if the machine or token file may be compromised.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Package metadata inconsistencies can make it harder to know exactly what code or dependencies will be installed in some workflows.

Why it was flagged

The lockfile version and dependency list do not match `package.json`, which shows version `0.2.1` and only `googleapis` as a runtime dependency. This looks like stale or inconsistent package metadata rather than confirmed malicious behavior.

Skill content

"version": "0.1.1" ... "dependencies": { "googleapis": "^171.4.0", "user": "^0.0.0" }

Recommendation

Regenerate and publish a consistent lockfile or remove it from the package if it is not used, and ensure runtime dependencies match `package.json`.