ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

sdfsdfsd

v1.0.0

Google Workspace CLI for Gmail, Calendar, Drive, Contacts, Sheets, and Docs.

0· 553·0 current·0 all-time
by@hailinhmacduc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The description (Google Workspace CLI) matches the runtime instructions which call the gog binary. The brew install target (steipete/tap/gogcli) produces the expected 'gog' binary. Minor oddities: the skill and SKILL.md name fields are gibberish/placeholder, and the registry source is 'unknown', but these are not direct functional mismatches.
Instruction Scope
SKILL.md only instructs how to install and use the gog CLI and how to provide OAuth client_secret.json and add an account for the listed Google services. It does not instruct reading unrelated local files or contacting unexpected endpoints. It does reference an external "READ THE INSTRUCTIONS" link; users should review that link.
Install Mechanism
The install method uses a third-party Homebrew tap (steipete/tap/gogcli) to install the 'gog' binary. Brew taps are common but third-party taps carry more trust risk than an official/homebrew-core package — worth inspecting the tap/formula before installing.
Credentials
The skill does not declare required env vars, but usage implies supplying an OAuth client_secret.json and granting access to Gmail/Calendar/Drive/Contacts/Sheets/Docs. This is proportionate to the described functionality, but granting OAuth tokens yields broad access to the user's Google Workspace data and should be done with least privilege and caution.
Persistence & Privilege
always is false and the skill does not request system-wide or persistent privileges beyond installing/using the 'gog' CLI. Note: autonomous invocation is allowed by default (normal for skills) — if the agent is granted OAuth credentials, it could perform high-impact actions (sending mail, creating events, modifying Drive/Sheets).
Assessment
This skill appears to be what it says: a wrapper around the 'gog' Google Workspace CLI. Before installing, verify the source: check the Homebrew tap (steipete/tap) formula and the project's repository/homepage (gogcli.sh) to confirm maintainers and review code. Be deliberate about OAuth credentials: follow least-privilege practices (create a dedicated test Google account or limited-scope client), inspect the OAuth consent/scopes requested, and do not reuse high-privilege or personal workspace credentials without reviewing the code. Because the brew formula is from a third-party tap, consider inspecting the formula (brew edit/view) or installing in a sandbox/VM first. Finally, the skill metadata contains placeholder names and an unknown registry source—that decreases signal about maintainership but does not contradict the skill's stated function; treat accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk973z7rfcf194tv82a0a2xr1m581j50s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎮 Clawdis
Binsgog

Install

Install gog (brew)
Bins: gog
brew install steipete/tap/gogcli

Comments