ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Boss Assistant

Transform any AI into a professional executive assistant with battle-tested personas and workflows. Complete templates for Google Workspace integration (Gmail, Calendar, Drive), milestone delivery system, and security guidelines.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 3.4k · 22 current installs · 23 all-time installs
by@jacky6658
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill promises Google Workspace automation (Gmail, Calendar, Drive) and indeed documents heavy use of the 'gog' CLI and other local CLIs/tools. The skill package only declares 'node' as a required binary but does not declare 'gog' or other runtime tools it repeatedly instructs the agent to run. The README and SKILL.md also list model API keys (Claude/GPT/Gemini) as prerequisites but the skill's requires.env is empty. Those omissions are incoherent with the described capabilities.
!
Instruction Scope
The runtime instructions ask the agent (and user) to install gog, move OAuth client JSON into a specific user path (/Users/user/Library/Application Support/gogcli/credentials.json), run 'gog auth credentials' and 'gog auth add' and to read/write memory files (MEMORY.md, memory/YYYY-MM-DD.md). The docs also describe running shell commands (gog, open, agent-browser), using exec/read/write/process, and sending files via messaging tools. All are plausible for this purpose, but these instructions reach into local filesystem and OAuth flows and will result in persistent credentials on disk — the SKILL.md does not declare or explain these sensitive operations explicitly in the metadata.
Install Mechanism
The skill is instruction-only (no install spec), so nothing will be written by the skill bundle itself. However the docs instruct the user/agent to run external installs (npm install -g gog, brew install, npm install -g openclaw). Those are standard package installs (npm/Homebrew) but are not automatically recorded in the skill metadata. Absence of an explicit install spec for 'gog' is an inconsistency to be aware of.
!
Credentials
The package declares no required environment variables or primary credential, yet the README and SKILL.md require: (a) Google OAuth client JSON to be placed in a user path, (b) authorizing multiple Google accounts with broad services (gmail,calendar,drive,docs,sheets), and (c) model API keys (Anthropic/OpenAI/Google). Requesting wide Google scopes is expected for workspace automation, but the lack of declared credentials and the instruction to put OAuth secrets in a user path is a mismatch and a material security surface that should be explicitly called out.
Persistence & Privilege
The skill is not 'always:true'. It instructs creating persistent artifacts (MEMORY.md, memory logs), placing OAuth JSON in ~/Library/Application Support, and configuring cron/cron jobs and multiple accounts. Those are normal for an assistant but grant ongoing local persistence and persistent access (tokens on disk). Because autonomous invocation is allowed by default, combining persistent tokens and autonomous capabilities increases blast radius — not flagged alone but worth user caution.
What to consider before installing
What to check before installing / using this skill: 1) Missing declarations: The skill metadata only lists 'node' as required, but the documentation repeatedly instructs installing and running the 'gog' CLI and other local tools. Confirm you (or the environment) will actually install and run 'gog' and any other CLIs before enabling this skill. 2) Google OAuth secrets: The docs instruct you to download a Google OAuth client JSON and move it into a specific path. That JSON contains sensitive client credentials and the subsequent 'gog auth add' flow will grant access to Gmail/Calendar/Drive. Only use a dedicated/test Google account (or minimally-privileged accounts) when authorizing, and review the OAuth scopes requested in the browser prompt before approving. 3) Model API keys and other secrets: README/Quick Start mention Claude/GPT/Gemini API keys but the skill does not declare env var names. Determine how your environment supplies model API keys and ensure they are not exposed to third parties. The skill may expect such keys though they aren't declared. 4) Files and logs: The assistant writes MEMORY.md and daily memory files; these will contain user data and possibly email/calendar snippets. Decide where these files live, review contents regularly, and avoid storing them in shared or backed-up locations if they contain sensitive information. 5) Messaging / external endpoints: The skill references using 'message' to send files to channels (Telegram, Slack, etc.). If you enable those integrations, confirm recipients and channels are correct and that no sensitive attachments are sent automatically. 6) Trust the source and verify code: The repo homepage is provided (GitHub). Review the repository and recent commits to verify authorship and inspect any scripts before running installation commands. Prefer installing 'gog' from the official Homebrew tap or the official npm package and verify package provenance. 7) Least privilege: If you want to test functionality, use a sandbox Google account and a minimal set of scopes (only the services you need). Avoid using your primary/work accounts until you confirm behavior. 8) Autonomy & persistence: Because the agent may run CLI commands, change files, and keep tokens on disk, only grant permissions you are comfortable with. If you want to limit automation, avoid enabling fully autonomous invocations or restrict it to supervised sessions. If you want, I can list the exact places in the included files where OAuth credentials are requested, where tokens/paths are referenced, and suggest a minimal safe checklist (which files to inspect and what to remove or limit) before you proceed.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.2
Download zip
latestvk97aezdxydpzs6a1y798agvxch80vj15

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💼 Clawdis
Binsnode

SKILL.md

AI Boss Assistant

Transform any AI into a professional executive assistant with battle-tested personas and workflows.

Overview

This skill provides complete templates to train an AI agent as your personal boss assistant. It includes:

  • Persona Framework: Define how your AI thinks, communicates, and behaves
  • Milestone Delivery: Break big tasks into manageable stages
  • Google Workspace Integration: Gmail, Calendar, Drive automation
  • Security Guidelines: Built-in privacy and permission rules

Quick Usage

Train Your AI

Ask the AI to read and learn from these files in order:

Please read and learn from:
1. agent-persona/PERSONA.md - Core personality
2. agent-persona/COMMUNICATION.md - How to communicate
3. agent-persona/WORKFLOW.md - Milestone delivery system
4. agent-persona/RULES.md - Behavioral rules

Example Commands

After training, you can say:

"Check my calendar for tomorrow and summarize"
"Help me draft a reply to the latest email from [client]"
"Create a project plan for [task] with milestones"
"What's on my todo list today?"

Key Concepts

AI Employee vs Chatbot

This template creates an "AI Employee" that:

  • ✅ Proactively executes tasks
  • ✅ Provides complete solutions
  • ✅ Has judgment and opinions
  • ✅ Delivers results, not just answers

Milestone Delivery

Big tasks are broken into stages:

Task → M1 → Deliver → OK → M2 → Deliver → OK → Done

This prevents "black box" operations and allows review at each stage.

Externalized Memory

Important info is written to files:

  • MEMORY.md - Long-term memory
  • memory/YYYY-MM-DD.md - Daily logs

Requirements

  • OpenClaw 1.0+
  • Node.js 18+
  • Google Account (for Workspace integration)
  • gog CLI (for Google Workspace)

Installation

# Install gog for Google Workspace
npm install -g gog
gog auth login --services gmail,calendar,drive

Files Structure

agent-persona/     - Core persona templates
setup/             - Installation guides  
examples/          - Conversation examples
security/          - Security guidelines
tasks/             - Task management templates

Links

Files

27 total
Select a file
Select a file to preview.

Comments

Loading comments…