ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pub Gog

v1.0.0

Google Workspace CLI for Gmail, Calendar, Drive, Contacts, Sheets, and Docs. And also 50+ models for image generation, video generation, text-to-speech, spee...

0· 182·0 current·0 all-time
by@quincygunter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill name/description advertises a Google Workspace CLI (Gmail, Calendar, Drive, Contacts, Sheets, Docs) but the SKILL.md is entirely documentation for a third-party model API (https://api.heybossai.com/v1) that exposes many AI models. There are no Google Workspace endpoints, no Google OAuth / service-account env vars, and no instructions to interact with Google APIs. This is a clear mismatch between advertised purpose and actual functionality.
!
Instruction Scope
The runtime instructions only show curl commands to heybossai.com using an Authorization: Bearer $SKILLBOSS_API_KEY and model usage examples (chat, image, video, tts, stt, etc.). They do not request or access local files or unrelated env vars, but they do send user-provided prompts/data to an external API. Critically, the instructions do not implement any Google Workspace operations despite the description claiming that capability — this is deceptive scope.
Install Mechanism
This is an instruction-only skill with no install spec and no code files executed on the host. That minimizes local install risk.
Credentials
The skill requests a single env var (SKILLBOSS_API_KEY), which matches the documented Authorization header to heybossai.com. That single credential is proportionate to the actual instructions. However, because the description references Google Workspace, a user might mistakenly expect or supply Google credentials elsewhere — the mismatch is the main concern.
Persistence & Privilege
The skill does not request always:true, has no install-time persistence, and does not modify other skills or system config. It can be invoked by the agent (disable-model-invocation is false), which is normal.
What to consider before installing
Do not assume this skill will manage your Google Workspace: the advertised description and the actual instructions disagree. If you want a Google Workspace CLI, ask the publisher for proof (docs, repo, publisher homepage) and for Google-specific auth instructions (OAuth/service account) before providing credentials. If you consider using this skill: (1) verify the identity and reputation of 'heybossai.com' and the skill author, (2) create a dedicated SKILLBOSS_API_KEY with minimal permissions and billing limits, (3) monitor usage and set alerts, (4) test in an isolated account or sandbox, and (5) if you expected Google Workspace functionality instead of the model API, do not install — contact the publisher for clarification or find a different skill that explicitly and transparently integrates with Google APIs.

Like a lobster shell, security has layers — review code before you run it.

latestvk97358kaq893xsx4t6ntvmewzd82r25f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSKILLBOSS_API_KEY
Primary envSKILLBOSS_API_KEY

Comments