Skillv1.1.0

ClawScan security

Google Workspace (gws CLI) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 1:03 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to wrap the expected Google Workspace CLI and mostly matches its stated purpose, but there are inconsistencies and operational risks (undeclared env vars, a third‑party npm install, and an MCP server that exposes a broad surface) that you should understand before installing.
Guidance: This skill wraps the third-party `gws` CLI and is generally coherent with its purpose, but: (1) verify the npm package and upstream repository before installing (confirm publisher, checksum, and repository code), (2) never commit exported credentials.json to source control and prefer a service account with least-privilege scopes, (3) only set GOOGLE_WORKSPACE_CLI_TOKEN or credential file env vars on machines you fully trust, (4) be cautious with batch/delete examples — test on non-production data first, and (5) avoid enabling `gws mcp` (MCP server) unless you understand who can connect to it because it exposes all Workspace operations to remote clients. If you want a safer setup: run the CLI inside an isolated environment, use service accounts with scoped permissions, and review the npm package source code before trusting it with org data.

Review Dimensions

Purpose & Capability: okName and description map directly to the `gws` CLI and the install produces the `gws` binary; requested binary is exactly what the skill says it wraps. The claimed capabilities (Drive, Gmail, Calendar, Sheets, etc.) align with what the CLI exposes.
Instruction Scope: concernSKILL.md instructs the agent to read/write credential files, set environment variables, export unmasked credentials, and run destructive batch commands (e.g., delete files via xargs). It also documents running `gws mcp`, which exposes Workspace operations over an MCP server — increasing the attack surface. The instructions reference environment variables and filesystem paths that are not declared in the registry metadata.
Install Mechanism: noteThe install spec installs an npm package (@googleworkspace/cli) which is a reasonable distribution method for this CLI but is higher risk than an instruction-only skill because arbitrary code will be written to disk and a global binary will be created. The README links to an upstream GitHub repo and explicitly states the CLI is not an officially supported Google product; you should verify the npm package and upstream source before installing.
Credentials: concernRegistry metadata declares no required env vars, but the SKILL.md and references mention and require GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE, GOOGLE_WORKSPACE_CLI_TOKEN and other env variables (and .env file usage). The skill will operate with broad Workspace OAuth scopes if you grant them; ensure you only grant minimal scopes and use service accounts or domain-limited credentials where appropriate.
Persistence & Privilege: notealways:false and no explicit persistent modifications to other skills or system configs, which is good. However, the documented `gws mcp` server can expose Workspace operations to other agents/tools — this is effectively a network-exposed tool surface and should be enabled only when you understand and trust every client that can reach it.