Google Docs from Markdown
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: gdocs-markdown Version: 1.0.1 The skill is classified as suspicious due to its automatic download and execution of the `pandoc` binary from a remote GitHub URL (`https://github.com/jgm/pandoc/releases/download/3.1.11/pandoc-3.1.11-linux-amd64.tar.gz`) within `scripts/gdocs-create.sh`. While `pandoc` is a legitimate tool and the source URL is official, downloading and executing external binaries from the internet represents a significant supply chain risk and a powerful capability that could be exploited if the remote source were compromised. The `SKILL.md` also instructs to `chmod +x` the script, granting it execute permissions. There is no clear evidence of intentional malicious behavior like data exfiltration or persistence, and the remote download is plausibly for the stated purpose of Markdown conversion.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When invoked, the skill can create/upload documents in the Google Drive account currently authenticated in gog.
The skill depends on an already authenticated Google account through gog, so its Drive upload action will operate with that account’s permissions.
- `gog` CLI authenticated with Google account
Confirm gog is logged into the intended Google account and only run the skill for Markdown files you want uploaded to Drive.
First use may run a downloaded Pandoc binary from /tmp, which depends on trusting the GitHub release download path and network integrity.
If Pandoc is missing, the helper downloads and extracts a third-party binary from GitHub at runtime without a checksum verification step.
wget -q https://github.com/jgm/pandoc/releases/download/3.1.11/pandoc-3.1.11-linux-amd64.tar.gz
tar xzf pandoc-3.1.11-linux-amd64.tar.gzPrefer installing Pandoc through a trusted package manager or verify the release checksum before relying on the auto-download path.