Back to skill
Skillv1.0.0
VirusTotal security
Google Keep · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:05 AM
- Hash
- 6c4420c985680ac02f566ff360c8c131b3bc0a4602ec7b80ca037497b463e763
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: google-keep Version: 1.0.0 The skill is classified as suspicious due to its handling of Google account credentials. It stores a non-expiring 'master token' (obtained via `gpsoauth`) that grants 'full account access' to the associated Google account in a local file (`.config/master_token`). While the skill explicitly warns the user about this risk in `SKILL.md` and sets file permissions to `0o600` in `gkeep.py`, the inherent design choice to store such a powerful, persistent credential locally represents a significant vulnerability. If the skill's directory or the user's system is compromised, this token could be stolen and used indefinitely, posing a high risk. There is no evidence of malicious intent or unauthorized data exfiltration beyond the stated purpose of managing Google Keep notes.
- External report
- View on VirusTotal