Gog
SuspiciousAudited by ClawScan on May 1, 2026.
Overview
Gog is a coherent Google Workspace CLI skill, but it requires broad OAuth access and includes commands that can change or delete Google Workspace data.
Install only if you trust the Gog CLI source and are comfortable granting it Google Workspace OAuth access. Review the OAuth consent screen carefully, use the narrowest account/services possible, and require confirmation before any command that sends, creates, updates, appends, clears, copies, or exports important Workspace data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After authorization, the CLI can access sensitive Workspace data and perform account actions under the authorized Google account.
The skill asks the user to authorize broad Google Workspace account access across email, calendar, files, contacts, spreadsheets, and documents. That is purpose-aligned, but high-impact and broadly scoped.
Requires OAuth setup. ... `gog auth add you@gmail.com --services gmail,calendar,drive,contacts,sheets,docs`
Review the OAuth scopes shown during setup, authorize only accounts and services you actually need, prefer a limited/test account where possible, and revoke Gog access when finished.
A mistaken or overbroad command could send messages or alter/delete spreadsheet data in the connected Google account.
The documented commands include sending email and modifying or clearing spreadsheet data. The explicit confirmation instruction covers mail and events, but not spreadsheet update/append/clear operations.
`gog gmail send ...`; `gog sheets update ...`; `gog sheets append ...`; `gog sheets clear <sheetId> "Tab!A2:Z"`; ... `Confirm before sending mail or creating events.`
Require explicit user confirmation before every write/destructive operation, especially Gmail send, Calendar create/update, Sheets update/append/clear, and any Drive or Docs write actions.
You are trusting the Homebrew tap and the installed `gog` binary to handle your Google Workspace credentials and data safely.
The skill installs and relies on an external CLI binary from a Homebrew tap. That is expected for this CLI skill, but the reviewed artifacts do not include the binary source code.
brew | formula: steipete/tap/gogcli | creates binaries: gog
Verify the project homepage and Homebrew formula source before installing, and install only from a trusted tap/version.