Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Drive Setup
v1.1.0Configure Google Drive mount on Linux via rclone + gog OAuth. Use when user wants to mount Google Drive as local filesystem, set up auto-mount on boot, or co...
⭐ 0· 12·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose is to configure a Google Drive mount via rclone and gog. The SKILL.md and script require the gog CLI, rclone, fuse/fusermount, and access to gog-stored credentials, but the package metadata lists no required binaries or environment variables. That mismatch (requirements used vs. declared) is an incoherence: someone installing this skill would legitimately need gog, rclone, and fuse and should be told so.
Instruction Scope
Instructions and the script explicitly export tokens from gog, read ~/.config/gogcli/credentials.json, write ~/.config/rclone/rclone.conf containing client_secret and refresh_token, call Google's token endpoint, and create/enable a systemd service under /etc/systemd/system. These actions are within the stated purpose but involve sensitive secrets and system-level changes. The SKILL.md and metadata do not clearly state that root/sudo is required to write /etc/systemd/system and run systemctl, and they instruct exporting token material to /tmp — a potential local exposure risk.
Install Mechanism
This is instruction-only with a bundled script; there is no network download of third-party code, no obscure URLs, and no package installation performed automatically. That keeps install risk low. The provided script will run local commands and edit system files when executed — which is expected for the feature but requires user attention.
Credentials
The skill uses and requires sensitive credentials (gog refresh_token, Google client_id/client_secret, possibly GOG_KEYRING_PASSWORD). Those are necessary for the task, but metadata did not declare any required env vars (it should have called out GOG_KEYRING_PASSWORD) and the SKILL.md references files/env that are not reflected in requires.env. The number and sensitivity of secrets is appropriate for the purpose, but the omission in metadata reduces transparency.
Persistence & Privilege
The script writes a systemd unit to /etc/systemd/system, enables and starts it (systemctl enable/start). Those are legitimate for auto-mounting but require root privileges and permanently modify system configuration. The skill does not declare or warn about elevated privileges; users should be aware this will change system state and run on boot.
What to consider before installing
Before installing or running this skill: (1) Understand it will read sensitive local files (gog credentials, refresh token) and write them into ~/.config/rclone/rclone.conf — treat those files like secrets. (2) The script writes a systemd unit under /etc and runs systemctl enable/start, so you must run it with root (or via sudo) and it will persist across reboots. (3) The metadata fails to declare required binaries and the GOG_KEYRING_PASSWORD env var — verify you have gog, rclone, and fuse installed and that you trust the gog CLI and the source of this script. (4) If you prefer tighter control, run the steps manually (inspect the token export, rclone.conf contents, and systemd file) rather than executing the script as-is. (5) Ask the publisher to update metadata to list required binaries/env and to document privilege requirements; if you cannot verify the origin or trust the gog credentials, do not run the script on a production machine.Like a lobster shell, security has layers — review code before you run it.
latestvk97fmdj59er3rg78cw3j3a6q3184cy6y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.