ClawHub

Google Keep

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Google Keep CLI, but it stores a password-like, non-expiring Google token with broader account access than a notes tool should need.

Install only if you are comfortable giving this skill and its Python dependencies a long-lived Google credential. Prefer a dedicated or low-risk Google account, keep the skill's .config directory private, avoid shared machines, back up important notes before edits or deletes, and manually remove the token and cached state when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Tainted flow: 'TOKEN_FILE' from os.environ.get (line 26, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_master_token(token):
    ensure_config_dir()
    with open(TOKEN_FILE, "w") as f:
        f.write(token)
    os.chmod(TOKEN_FILE, 0o600)
Confidence
79% confidence
Finding
with open(TOKEN_FILE, "w") as f:

Tainted flow: 'STATE_FILE' from os.environ.get (line 27, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_state(keep):
    ensure_config_dir()
    with open(STATE_FILE, "w") as f:
        json.dump(keep.dump(), f)
    os.chmod(STATE_FILE, 0o600)
Confidence
72% confidence
Finding
with open(STATE_FILE, "w") as f:

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill invokes shell commands, creates a virtual environment, installs packages, and reads/writes local credential and state files, but it does not declare any explicit permissions. This creates a transparency and governance gap: operators may approve or run the skill without understanding that it persists secrets and executes installer commands, which is especially risky because the skill handles long-lived Google account tokens.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The auth flow exchanges tokens over the network and persists a master token locally without any explicit warning, consent step, or explanation of sensitivity. In a skill context, this can surprise users into handing over highly sensitive long-lived credentials and storing them on disk, increasing the chance of account compromise through misuse or local theft.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This command accepts a pre-obtained master token and writes it to disk with no explicit warning about sensitivity, persistence, or consequences if the host is compromised. Because a master token is a powerful long-lived credential, silent local storage materially raises the risk of unauthorized access to the user's Google Keep data.

Session Persistence

Medium
Category
Rogue Agent
Content
- id: venv
        kind: shell
        command: "cd \"$SKILL_DIR\" && uv venv .venv && .venv/bin/pip install gkeepapi gpsoauth"
        label: "Create venv and install gkeepapi + gpsoauth"
---

# Google Keep CLI Skill
Confidence
80% confidence
Finding
Create venv and install gkeepapi + gpsoauth" --- # Google Keep CLI Skill Manage Google Keep notes and lists from the command line using the unofficial gkeepapi. ## Setup After installing, the CLI

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal