Gog 1.0.0
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a coherent Google Workspace CLI skill, but it needs broad Google OAuth access and can read or modify Workspace data, so use it with explicit approvals.
Install only if you trust the gog project and Homebrew tap. Review OAuth scopes, connect only accounts and services you actually need, and require confirmation before sending email, creating events, updating or clearing Sheets, copying Docs, or making any other write action.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A connected Google account may expose mail, calendar, drive, contacts, sheets, and docs data to the CLI according to the OAuth scopes granted.
The skill explicitly asks the user to authorize a Google account across multiple Workspace services. This is expected for the stated purpose, but it is broad account authority.
`gog auth add you@gmail.com --services gmail,calendar,drive,contacts,sheets,docs`
Review the OAuth consent screen carefully, authorize only needed services where possible, prefer a dedicated account for automation, and revoke access when no longer needed.
If used carelessly, the agent could send messages or change business/personal spreadsheet data.
The documented commands include high-impact actions such as sending email and modifying or clearing spreadsheet ranges. These are disclosed and aligned with a Workspace CLI, but they need user control.
`gog gmail send --to a@b.com --subject "Hi" --body "Hello"` ... `gog sheets update ...` ... `gog sheets clear <sheetId> "Tab!A2:Z"`
Require explicit confirmation for every send, create, update, append, clear, copy, or other write action, and review recipients, IDs, ranges, and payloads before execution.
Private Google Workspace data could be shown to the agent, and malicious text inside emails or documents could try to influence the agent's behavior.
The skill can retrieve private Workspace content into the agent's working context. Retrieved emails or documents may contain sensitive information or untrusted instructions.
`gog gmail search 'newer_than:7d' --max 10` ... `gog contacts list --max 20` ... `gog docs cat <docId>`
Use narrow searches and specific document IDs, avoid pulling unnecessary sensitive content, and treat retrieved emails/docs as data rather than instructions.
You are trusting the Homebrew tap and the installed gog binary with Google OAuth access.
The skill depends on an externally installed Homebrew binary. This is normal for a CLI skill, but the executable itself is not included in the reviewed artifacts.
brew | formula: steipete/tap/gogcli | creates binaries: gog
Verify the Homebrew formula, homepage, and publisher before installing, and keep the binary updated from a trusted source.
Publisher/package identity should be checked before granting broad Google account access.
The included _meta.json identity differs from the registry metadata shown for the evaluated package, creating a minor provenance ambiguity. There is no artifact evidence of hidden behavior.
"ownerId": "kn70pywhg0fyz996kpa8xj89s57yhv26", "slug": "gog"
Confirm that the registry entry, homepage, and Homebrew formula all refer to the same trusted project before authorizing OAuth.