ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GDrive Owncloud sync

v1.0.0

Check that new files on Google Drive are present on OwnCloud + send email report

0· 149·0 current·0 all-time
by@sydneyphoenix26
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (check Google Drive files against OwnCloud and email a report) matches the included scripts and the use of gog, jq, curl and zsh. The bundle also provides a small indexing service (Go program + find script + systemd unit) that must be deployed on the OwnCloud server — this is coherent with the stated purpose but expands the scope (requires server-side installation and TLS certs).
!
Instruction Scope
SKILL.md and owncloud-sync.sh limit runtime access to the local owncloud.json config and an /allfiles endpoint on ALLFILES_URL. However the skill bundle itself contains a populated owncloud.json and a systemd unit with a plaintext password; the instructions assume you will deploy the provided Go service and cron script on the OwnCloud host. The runtime instructions do not ask the agent to read unrelated system files, but including real credentials and a ready-to-use service in the skill increases risk if users install without review.
Install Mechanism
Install uses a brew formula (steipete/tap/gogcli) to provide the gog binary. This is a third‑party tap (not an official homebrew/core package) — moderate risk compared with no install spec, but reasonable for a CLI dependency. No other automated downloads or archive extractions are present.
!
Credentials
Registry metadata declared no required env vars, but the skill depends on secrets supplied via owncloud.json (ALLFILES_USER, ALLFILES_PASS, GOG_ACCOUNT, etc.). The bundle includes an allfiles.service file with an embedded password (SuperSecretPasswordChangeMe2026!) and a populated owncloud.json — shipping credentials in the skill archive is disproportionate and dangerous. The Go service expects ALLFILES_USER/ALLFILES_PASS as env vars when run on the server; the README instructs matching these to owncloud.json, but that creates an explicit secret-copying step.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or agent-wide settings. It provides a systemd unit for an optional server-side service — installing that would create persistence on the OwnCloud host, but that is an operator action rather than an agent privilege escalation.
What to consider before installing
This skill appears to implement its stated purpose, but exercise caution before installing or running it. Key points to consider: - The skill archive includes a populated owncloud.json and a systemd unit with a plaintext password. Treat these as templates only — do NOT deploy the bundled credentials unchanged. Replace passwords and TLS certs with values you control. - The skill requires gog (installed from steipete/tap/gogcli). Verify that tap and formula are trustworthy before adding the tap and installing the package. - The bundle contains a Go service and a cron/find script that are intended to run on your OwnCloud server and will produce /tmp/allfiles.txt. Review and audit the find command, the service configuration, and file permissions; run the service only on a trusted host and ensure TLS certs are valid. - Confirm how gog authenticates to Google Drive (it may require OAuth tokens or interactive login); avoid placing long-lived credentials in plaintext. The skill's GOG_ACCOUNT in owncloud.json is an account identifier, not an OAuth token. - Before running, remove or sanitize any embedded secrets in the distributed files (owncloud.json, allfiles.service). If you need a second opinion, ask the author whether the included credentials are placeholders and request guidance on secure deployment. If the author can (a) confirm that the embedded password is a placeholder and (b) provide a clear secure deployment guide (how gog auth is handled, explicit note that owncloud.json is local-only template, and provenance for the brew tap), my confidence in the package would increase.

Like a lobster shell, security has layers — review code before you run it.

latestvk975pn9bzyj8bba8ypffbmfqzs82zb8x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binszsh, curl, jq, gog

Install

Install gog (brew)
Bins: gog
brew install steipete/tap/gogcli

Comments