GDrive Owncloud sync
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated sync-report purpose, but its OwnCloud helper can create a persistent broad file-listing service with default credentials that could expose private filenames if installed unchanged.
Before installing, change all default credentials, restrict the OwnCloud helper endpoint to trusted networks, protect or relocate /tmp/allfiles.txt with restrictive permissions, confirm the Google Drive account and email recipient are correct, and verify the external gog CLI source.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone who can reach the helper service and knows or guesses the default credentials could retrieve the OwnCloud file inventory.
The service template includes default Basic Auth credentials for the OwnCloud file-inventory endpoint; if deployed unchanged, those shared credentials protect access to private filename metadata.
Environment="ALLFILES_USER=admin" Environment="ALLFILES_PASS=SuperSecretPasswordChangeMe2026!"
Require users to set unique secrets before enabling the service, remove default credentials from packaged files, store secrets securely, and rotate these values if they were ever used.
Private filenames and timestamps may remain in a server-side temporary file and be reused or exposed outside the immediate report workflow.
The helper creates a broad persistent index of filenames and modification times for the OwnCloud user tree and writes it to /tmp without documented restrictive permissions, retention, or exclusions.
/usr/bin/find "$OWNCLOUD_ROOT_INSTALL_DIR"/"$OWNCLOUD_USERNAME"/ -type f -printf '%f|%TY-%Tm-%Td %TH:%TM\n' > /tmp/allfiles.txt
Limit the indexed paths, exclude sensitive areas, write the index to a protected dedicated directory with restrictive permissions, and document retention and cleanup behavior.
After setup, the OwnCloud helper can keep running and refreshing the file index until the user disables the cron job and service.
The skill’s helper is intentionally installed as a scheduled job plus a long-running service; this persistence is disclosed and purpose-aligned, but it continues operating outside a single manual invocation.
A small script must be configured then installed with crontab (run daily): findallfiles.sh ... Install and enable the provided systemd service `allfiles.service`.
Install the persistent helper only on intended servers, monitor it, restrict network access, and document how to disable and remove the service and cron job.
The installed CLI may receive access to the user’s Google Drive account, so its source and update behavior matter.
The skill relies on an external Homebrew tap to install the Google Drive CLI used by the workflow; this is expected for the purpose, but the artifact does not pin or otherwise verify that dependency.
brew | formula: steipete/tap/gogcli | creates binaries: gog
Verify the Homebrew tap and gog CLI provenance before installation, prefer pinned or reviewed versions where possible, and grant only the Google account access needed for this task.