Google Drive File Management
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill’s Google Drive purpose is clear, but its code builds local shell commands from user-controlled values and can act through your configured Google Drive account.
Install only if you trust this skill and the `gog` CLI configuration. Before use, fix or sandbox the shell-command construction, use a least-privileged Google account or folder, and require confirmation before uploads, downloads, or sharing files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted file path, query, file ID, account name, role, or email value could cause unintended local commands to run with the agent’s permissions.
Caller-controlled values are interpolated into a command string that is executed through a shell. Similar patterns appear in list, search, download, and share operations.
const command = `gog drive files upload --account ${account} --file "${filePath}" --name "${fileName}" --parents "${folder}" ...`; ... execAsync(command, { shell: true });Use `execFile` or `spawn` with an argument array instead of shell strings, validate IDs/roles/accounts, reject shell metacharacters, and constrain file paths before enabling the skill.
If used incorrectly, the agent could share private Drive files or grant edit access to another user.
The skill intentionally exposes Google Drive sharing permission changes, including writer access. This is purpose-aligned but high-impact.
### `drive share` ... `--email` (string, requerido) ... `--role` (string, opcional): Rol (reader,writer,commenter)
Require explicit user confirmation before sharing files, prefer reader access by default, and verify the recipient and file ID before running share actions.
The agent can list, search, upload, download, and share files that the configured Google account can access.
The skill uses a preconfigured Google account through `gog`. This is expected for a Drive integration, but it means actions occur under that account’s permissions.
Requiere `gog` CLI configurado con acceso a Google Drive. La cuenta por defecto es `TU_EMAIL_GOOGLE`.
Use a dedicated or least-privileged Google account/folder where possible, check the `gog` OAuth scopes, and monitor Drive sharing changes.
The skill may fail unless `gog` is already installed, or it may run whichever `gog` executable is present on the user’s PATH.
The artifact set does not declare a trusted source, install process, or required `gog` binary even though the code depends on that external CLI.
Source: unknown; Homepage: none; Required binaries (all must exist): none; Install specifications: No install spec
Declare `gog` as a required binary with setup instructions, expected version/source, and credential requirements.