Google Docs Skill
v0.1.0Integrate with Google Docs API to create, read, update, format, and manage documents using OAuth 2.0 authentication.
⭐ 0· 1.2k·4 current·4 all-time
by@zagran
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The instructions and example code clearly implement Google Docs API access via OAuth2 (creating documents, batchUpdate, etc.), which matches the skill name. However the registry metadata provides no description, homepage, or declared required environment variables even though the SKILL.md explicitly expects GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, and GOOGLE_REFRESH_TOKEN.
Instruction Scope
The SKILL.md stays within the scope of Google Docs integration: it shows obtaining OAuth tokens, refreshing access tokens, and calling docs.googleapis.com endpoints. It uses a local redirect (HTTPServer on localhost) and opens a browser to obtain consent — both normal for OAuth desktop/web flows. The instructions do not request unrelated system files or external endpoints beyond Google.
Install Mechanism
There is no install spec and no code files beyond the SKILL.md, so nothing is written to disk or downloaded by the skill packaging itself. This lowers installation risk. The provided Python snippets are for the user to run locally.
Credentials
The SKILL.md instructs users to set GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, and GOOGLE_REFRESH_TOKEN (sensitive secrets) but the skill metadata declares no required environment variables or primary credential. That mismatch is incoherent: the skill needs secrets to operate but does not declare them in metadata, preventing reviewers/hosts from seeing what will be requested. Requesting those three variables is proportionate to an OAuth-based Google Docs integration, but the omission from metadata is a security/process concern.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges or modify other skills/settings. It also does not include install scripts that would persist on disk. Autonomous invocation is allowed (platform default) but is not combined with other high privilege requests.
What to consider before installing
What to consider before installing:
- Metadata mismatch: the SKILL.md requires GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, and GOOGLE_REFRESH_TOKEN, but the skill metadata does not declare any required env vars. Ask the publisher to update metadata to list required credentials and to provide a homepage/source repo for provenance.
- Secrets handling: these environment values are sensitive. Only use credentials you control, and avoid pasting client secrets or refresh tokens into shared/managed environments. Prefer running the OAuth script locally on a trusted machine rather than letting any automated agent execute it.
- Verify endpoints and scope: the code calls docs.googleapis.com and oauth2.googleapis.com with the scope https://www.googleapis.com/auth/documents — confirm the scope is appropriate and consent screens are configured correctly.
- Source/verifiability: there is no homepage or repository. If you need assurance, request the skill source or a published repository and review the full SKILL.md (it was truncated in the package) before installing.
- If you proceed: require the publisher to declare required env vars in the skill metadata, and consider creating a dedicated Google OAuth client (with limited scope) and rotating credentials after use.
If the publisher cannot or will not provide provenance and corrected metadata, treat this package as untrusted and do not install.Like a lobster shell, security has layers — review code before you run it.
latestvk971f0t751fp83cz86q7nqed9s80t7n4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.