ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Civic Google

v0.1.1

Use gog (Google CLI) without manual OAuth setup — Civic handles token management automatically

0· 200·0 current·0 all-time
by@civictechuser

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for civictechuser/civic-google.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Civic Google" (civictechuser/civic-google) from ClawHub.
Skill page: https://clawhub.ai/civictechuser/civic-google
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: CIVIC_TOKEN
Required binaries: gog
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install civic-google

ClawHub CLI

Package manager switcher

npx clawhub@latest install civic-google
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to let agents run the gog CLI without manual OAuth setup and only requires the gog binary and a CIVIC_TOKEN. Those requirements and the described plugin behavior are coherent with that purpose.
Instruction Scope
The SKILL.md instructs the plugin to send the gog command prefix to app.civic.com for scope resolution and says arguments aren't logged. This is within the plugin's stated purpose, but it does transmit which subcommands/services you use to Civic. The doc also exposes an OPENCLAW_PROXY_URL override (example uses plain http://localhost:3013) — changing this could redirect scope resolution to another endpoint, so users should be careful where they point it.
Install Mechanism
This is an instruction-only skill (no install spec or code files). The SKILL.md tells users to install the OpenClaw plugin and brew-install gog; those are standard OS-level instructions and low-risk from this static review.
Credentials
The only required environment variable is CIVIC_TOKEN, which is appropriate for an OAuth-proxy service. However, CIVIC_TOKEN grants Civic account-level API access and therefore authorizes Civic to manage stored OAuth tokens on your behalf — you must trust Civic with that responsibility. The plugin does not request Google credentials, which is consistent.
Persistence & Privilege
always is false and the skill does not request system-wide configuration or other skills' credentials. Nothing in the SKILL.md indicates it modifies other skills or requires permanent elevated presence.
Assessment
This skill appears internally consistent: it asks only for the gog binary and a CIVIC_TOKEN and the instructions match its stated proxying behavior. Before installing, verify the Civic service and the claimed open-source repo (https://github.com/civicteam/openclaw-google and the npm package) so you can inspect how tokens are handled. Understand that Civic will learn which gog subcommands you run (the SKILL.md says arguments are not logged, but subcommand prefixes are), and that CIVIC_TOKEN grants Civic the ability to hold and refresh your Google OAuth tokens on your behalf — only proceed if you trust Civic. If you test locally, be cautious with OPENCLAW_PROXY_URL (don’t point it to untrusted remote endpoints) and store CIVIC_TOKEN securely; know how to revoke or rotate it via app.civic.com if you stop using the skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔑 Clawdis
Binsgog
EnvCIVIC_TOKEN
latestvk97ev4ej9jm4nytnhq9j4w3t4h835p6h
200downloads
0stars
2versions
Updated 22h ago
v0.1.1
MIT-0
@civictechuser
latest
Download

This skill describes the @civic/openclaw-google plugin, which lets agents use gog (the Google Workspace CLI) without the user having to create a Google Cloud project, configure OAuth credentials, or manage tokens. Civic acts as an OAuth proxy — it provides the OAuth client, stores tokens encrypted server-side, refreshes them automatically, and the plugin requests only the scope each command actually needs.

Privacy and security

  • What is sent to Civic: The plugin sends the gog command prefix (e.g. gog gmail send) over HTTPS to app.civic.com for scope resolution. The proxy reads only the command prefix to determine which OAuth scope is needed — command arguments (email addresses, search queries, file names) are not logged, stored, or used by the proxy.
  • CIVIC_TOKEN: This is the user's own API key from their Civic account at app.civic.com. It authenticates the user to their own account and is never shared. It is sent as a Bearer token over HTTPS.
  • Token handling: OAuth access tokens are short-lived (~1 hour), stored encrypted (AES-256) on Civic's servers, and refreshed automatically. The agent never sees OAuth client secrets or refresh tokens.
  • Source code: The plugin is open source at https://github.com/civicteam/openclaw-google and published on npm as @civic/openclaw-google.

Setup

  1. Install the plugin:

    openclaw plugins install @civic/openclaw-google

  2. Install gog (the Google CLI):

    brew install gog

  3. Set your Civic API token in the gateway environment:

    CIVIC_TOKEN=<your-token-from-app.civic.com>

    Get your token from app.civic.com -> Settings -> API Keys.

  4. Restart the gateway.

How it works

  1. Agent calls gog gmail search newer_than:1d
  2. Plugin intercepts the exec tool call via a before_tool_call hook
  3. Plugin sends the command prefix to the Civic proxy for scope resolution
  4. Proxy matches gog gmail -> gmail.readonly scope
  5. If authorized: returns a short-lived access token, plugin sets GOG_ACCESS_TOKEN env var, gog runs
  6. If not yet authorized: blocks the tool call and surfaces an auth URL for the user to consent
  7. After first consent per scope, all future calls work automatically

Supported services and scope mapping

The plugin maps each gog subcommand to the narrowest OAuth scope required. Write operations get specific scopes; unrecognized subcommands fall back to read-only.

Gmail

  • gog gmail send — gmail.send
  • gog gmail draft, gog gmail drafts — gmail.compose
  • gog gmail trash, archive, read, unread, batch — gmail.modify
  • gog gmail (catch-all) — gmail.readonly

Calendar

  • gog calendar create, update, delete, respond, subscribe — calendar.events
  • gog calendar (catch-all) — calendar.readonly

Drive

  • gog drive upload, create, update, delete, move, rename, share, copy, import — drive.file
  • gog drive transfer — drive (full access, required for ownership transfer)
  • gog drive (catch-all) — drive.readonly

Docs

  • gog docs create, edit, append — documents
  • gog docs copy, delete, import — documents + drive.file
  • gog docs export — documents.readonly + drive.file
  • gog docs (catch-all) — documents.readonly + drive.readonly

Sheets

  • gog sheets write, append, delete, insert, format, merge, freeze, resize — spreadsheets
  • gog sheets create — spreadsheets + drive.file
  • gog sheets (catch-all) — spreadsheets.readonly + drive.readonly

Slides

  • gog slides create, copy — presentations + drive.file
  • gog slides edit, update, duplicate, delete — presentations
  • gog slides (catch-all) — presentations.readonly + drive.readonly

Tasks

  • gog tasks add, done, delete, move, update — tasks
  • gog tasks (catch-all) — tasks.readonly

Contacts

  • gog contacts create, update, delete, merge, batch — contacts
  • gog contacts (catch-all) — contacts.readonly

Chat

  • gog chat send — chat.messages.create
  • gog chat create — chat.spaces
  • gog chat delete — chat.messages
  • gog chat (catch-all) — chat.spaces.readonly + chat.messages.readonly

Forms

  • gog forms create, update, delete — forms.body
  • gog forms (catch-all) — forms.body.readonly + forms.responses.readonly

Apps Script

  • gog appscript run — script.projects
  • gog appscript deploy — script.deployments
  • gog appscript (catch-all) — script.projects.readonly + drive.readonly

Troubleshooting

  • "No CIVIC_TOKEN configured" — Set CIVIC_TOKEN in your gateway environment. Get it from app.civic.com -> Settings -> API Keys.
  • Auth URL keeps appearing — The user needs to click the authorization link and complete the Google consent screen. Each scope requires separate consent.
  • Token errors after working previously — The user may have revoked access in their Google account settings. Re-authorize by triggering any gog command.

Custom proxy URL

For local development, set OPENCLAW_PROXY_URL in the gateway environment:

OPENCLAW_PROXY_URL=http://localhost:3013/openclaw

Comments

Loading comments...