ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cs-gog

v1.0.0

Google Workspace CLI for Gmail, Calendar, Drive, Contacts, Sheets, and Docs.

0· 117·0 current·0 all-time
by@snilpmud·duplicate of @jacobo-create/backup-gog-20260213-121122·canonical: @steipete/gog

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for snilpmud/cs-gog.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "cs-gog" (snilpmud/cs-gog) from ClawHub.
Skill page: https://clawhub.ai/snilpmud/cs-gog
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: gog
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install cs-gog

ClawHub CLI

Package manager switcher

npx clawhub@latest install cs-gog
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill declares and requires the 'gog' binary and the SKILL.md exclusively documents gmail/calendar/drive/contacts/sheets/docs operations — the requested binary and commands are coherent with the stated Google Workspace purpose.
Instruction Scope
SKILL.md instructs the agent to run 'gog' commands that perform sensitive operations (read/send mail, read/write Drive/Sheets/Docs, list contacts). This is expected for the claimed purpose, but the instructions rely on a user-provided OAuth client_secret.json and token setup which are not listed in requires.env/primaryEnv. The skill explicitly advises confirming before sending mail, which is good.
Install Mechanism
Install uses a Homebrew formula 'steipete/tap/gogcli'. Brew installs are common, but this is a third‑party tap (not core/homebrew). Users should verify the tap owner and formula source before installing because third‑party taps can deliver arbitrary code.
!
Credentials
The skill declares no required env vars, yet runtime setup requires OAuth client credentials (client_secret.json) and will create/hold OAuth tokens; GOG_ACCOUNT is suggested as an env var. These credentials are sensitive and effectively required for functionality but are not surfaced in the metadata. That mismatch reduces transparency about needed secrets and where they will be stored.
Persistence & Privilege
The skill is not always-enabled, but model invocation is allowed (default). Because the CLI can read/send email and modify documents, autonomous invocation increases blast radius — consider requiring explicit user confirmation for sensitive operations or disabling autonomous use if you want stricter controls.
What to consider before installing
This skill appears to be what it says (a CLI wrapper for Google Workspace), but take these steps before installing: - Verify the Homebrew tap and formula source (steipete/tap/gogcli) and confirm the upstream repo or website (https://gogcli.sh) are trustworthy. - Understand that you must supply OAuth client credentials (client_secret.json) and that the tool will store tokens locally; check where tokens/config are saved and whether they are encrypted. - Review and minimize OAuth scopes when running 'gog auth add' (don’t grant more permissions than necessary). - Be aware the skill can read/send email and access drive/docs; if you don’t want an autonomous agent performing those actions, disable autonomous invocation or require manual confirmation for sensitive commands. - If you need extra caution, install and run the CLI in an isolated environment (VM/container) and inspect the Homebrew formula source before installing. If you want, provide the Homebrew formula or upstream repo URL and I can review it for additional concerns.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎮 Clawdis
Binsgog

Install

Install gog (brew)
Bins: gog
brew install steipete/tap/gogcli
latestvk97ec5d2kvjr79k0q1bmj9rzzs83sed4
117downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@snilpmud
latest
Download

gog

Use gog for Gmail/Calendar/Drive/Contacts/Sheets/Docs. Requires OAuth setup.

Setup (once)

  • gog auth credentials /path/to/client_secret.json
  • gog auth add you@gmail.com --services gmail,calendar,drive,contacts,sheets,docs
  • gog auth list

Common commands

  • Gmail search: gog gmail search 'newer_than:7d' --max 10
  • Gmail send: gog gmail send --to a@b.com --subject "Hi" --body "Hello"
  • Calendar: gog calendar events <calendarId> --from <iso> --to <iso>
  • Drive search: gog drive search "query" --max 10
  • Contacts: gog contacts list --max 20
  • Sheets get: gog sheets get <sheetId> "Tab!A1:D10" --json
  • Sheets update: gog sheets update <sheetId> "Tab!A1:B2" --values-json '[["A","B"],["1","2"]]' --input USER_ENTERED
  • Sheets append: gog sheets append <sheetId> "Tab!A:C" --values-json '[["x","y","z"]]' --insert INSERT_ROWS
  • Sheets clear: gog sheets clear <sheetId> "Tab!A2:Z"
  • Sheets metadata: gog sheets metadata <sheetId> --json
  • Docs export: gog docs export <docId> --format txt --out /tmp/doc.txt
  • Docs cat: gog docs cat <docId>

Notes

  • Set GOG_ACCOUNT=you@gmail.com to avoid repeating --account.
  • For scripting, prefer --json plus --no-input.
  • Sheets values can be passed via --values-json (recommended) or as inline rows.
  • Docs supports export/cat/copy. In-place edits require a Docs API client (not in gog).
  • Confirm before sending mail or creating events.

Comments

Loading comments...