Gog

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward guide for using the gog Google Workspace CLI, but users should handle OAuth credentials and Google account data carefully.

Install only if you trust the gog CLI and intend to grant it access to the listed Google services. Store client_secret.json outside shared repos, use the narrowest OAuth scopes and account needed, review commands before sending mail or modifying Sheets/Drive data, and avoid exposing --json output or GOG_ACCOUNT values in logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs users to configure OAuth credentials and account access for Gmail, Calendar, Drive, Contacts, Sheets, and Docs, but it does not include any guidance on securely handling the client secret file, limiting scopes, or protecting account data. Because this skill operates on highly sensitive Google Workspace content, omitting credential-handling and data-sensitivity warnings increases the chance of accidental exposure or misuse during setup and scripting.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal