Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gmail Gog Setup
v1.0.0Set up Gog CLI for Gmail access and authenticate agent mailboxes.
⭐ 0· 41·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required binary (gog), and the SKILL.md all describe installing and configuring Gog for Gmail OAuth access — this is internally consistent. The skill legitimately needs Gog and Google OAuth credentials to do what it says.
Instruction Scope
Instructions concentrate on Gmail OAuth and Gog usage (creating an OAuth client, adding test user, running gog auth commands). They also include OS-level install commands (curl, tar, install to /usr/local/bin) and guidance to store client JSON under ~/.openclaw; these are appropriate for the task but require local filesystem and possibly elevated privileges. The SKILL.md also references an environment variable (GOG_KEYRING_PASSWORD) and a recommended credential path that are not declared in the skill metadata.
Install Mechanism
The SKILL.md contains a direct download from a GitHub Releases URL and a tar extraction followed by installing a binary to /usr/local/bin. GitHub Releases is a known host, so this is expected for installing a CLI, but it is higher-risk than a package-manager install because it writes files to disk and may require elevated privileges. The skill has no formal install spec in metadata (it's instruction-only).
Credentials
The skill metadata declares no required environment variables, but the instructions explicitly tell the user to set GOG_KEYRING_PASSWORD and to store OAuth client JSON in ~/.openclaw/credentials/google/. Asking users to create/store OAuth credentials and a keyring password is reasonable for the purpose, however the omission from declared requirements and lack of guidance about protecting these secrets is an inconsistency and a risk (sensitive data handling).
Persistence & Privilege
The skill is instruction-only, does not request 'always: true', and contains no code that would persist or modify other skills. It does instruct the operator to install a system binary under /usr/local/bin (may require sudo), but that is a user-operated step rather than an automated persistent presence requested by the skill.
Assessment
This skill appears to do what it claims (configure Gog to access Gmail), but take these precautions before running the commands: 1) Verify the GitHub release URL and prefer checksums/signatures or your OS package manager where possible rather than piping curl into an install location. 2) Installing to /usr/local/bin may require sudo—only install binaries you trust. 3) The SKILL.md asks you to set GOG_KEYRING_PASSWORD and store OAuth client JSON in ~/.openclaw, but these environment/config requirements are not declared in metadata — treat those files and variables as sensitive secrets and use a secret manager or restrictive file permissions. 4) When creating OAuth credentials, limit scopes, add only necessary test users, and revoke the client when no longer needed. 5) If you intend an agent to use this access autonomously, be extra cautious: verify access controls and rotate credentials regularly. If you want higher assurance, ask the skill author to add a formal install spec, declare required env vars (e.g., GOG_KEYRING_PASSWORD), and provide CI-verified binary checksums or a package-manager-based install option.Like a lobster shell, security has layers — review code before you run it.
latestvk9766cy53c7776g68enzyq40t984vdrn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📧 Clawdis
Binsgog