Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sog

v0.3.0

Standards Ops Gadget — CLI for IMAP/SMTP/CalDAV/CardDAV/WebDAV. Open-standards alternative to gog (Google) and mog (Microsoft).

⭐ 0· 1.8k·0 current·0 all-time

by@visionik

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (Standards Ops Gadget) match the included code and SKILL.md: a Go CLI implementing IMAP/SMTP/CalDAV/CardDAV/WebDAV clients. Required binary is 'sog' and the install uses a go package from github.com/visionik/sogcli — all appropriate for a Go CLI. No unrelated services or credentials are requested.

✓

Instruction Scope

SKILL.md tells the agent to invoke the sog CLI and documents commands; the runtime behaviors described (reading ~/.config/sog/config.json, using system keychain, contacting IMAP/SMTP/CalDAV/CardDAV/WebDAV endpoints) are consistent with an email/calendar/contacts/files client. There are no instructions to read unrelated system files or to send data to unexpected endpoints in the docs. Note: the CLI will access the user's account configuration and passwords (via keychain or optional file storage) and will make network connections to whatever servers the user configures — which is expected for this tool.

ℹ

Install Mechanism

Install uses 'go install github.com/visionik/sogcli/cmd/sog@latest' which is standard for Go CLIs; this downloads and builds source from the GitHub repo. This is expected and proportionate, but using @latest means you pull the tip (supply-chain risk if repository is compromised). No exotic download URLs or archive extraction are present.

✓

Credentials

The skill declares no required environment variables (SKILL.md documents optional SOG_ACCOUNT). It does require access to user passwords/config (stored in system keychain by default, or optionally a file if the user chooses 'file' storage). That access is appropriate for an email/CalDAV/CardDAV/WebDAV client. There are no unrelated credential requests.

✓

Persistence & Privilege

The skill is not always-included and follows normal model-invocation defaults. It stores its own config under ~/.config/sog/config.json and uses the system keychain (or an optional file). It does not request elevated system privileges or attempt to modify other skills or global agent settings.

Scan Findings in Context

[unicode-control-chars] unexpected: A scanner detected unicode-control-chars in SKILL.md. This can be benign (emoji, non-printing characters included in README/metadata) but is also a common vector for prompt-injection. The rest of the SKILL.md and code appear consistent; review the SKILL.md raw text for hidden/zero-width characters if you're concerned.

Assessment

This skill appears to be what it claims: a Go-based CLI for mail, calendars, contacts, tasks, and WebDAV. Before installing, consider these practical safety steps: - Prefer installing a specific, signed/tagged release instead of @latest (e.g., go install github.com/visionik/sogcli/cmd/sog@v0.3.0) to reduce supply-chain risk. - Inspect the repository (README, recent commits, open issues, maintainer activity) if you don't already trust the source. - Use the default keychain storage rather than the 'file' storage option so passwords are kept in the system keyring, not in plaintext files. - Be aware the binary will create/modify ~/.config/sog/config.json and will make network connections to whatever servers you configure (this is required functionality). Remove credentials/config if you uninstall. - The SKILL.md contained a unicode-control-chars scanner hit — this may be harmless (emoji/formatting), but if you plan to allow autonomous agent invocation, inspect the raw SKILL.md for hidden characters. If you want extra caution: build the binary from a checked-out tagged commit locally (go build) and audit the code paths that handle password storage and network endpoints before using it with sensitive accounts.

Like a lobster shell, security has layers — review code before you run it.

latestvk979tpt4138d8tv159c5rwtvhh7zy8m6

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📬 Clawdis

Binssog

Install

Install sog (go install)

Bins: sog

Sog

License

Runtime requirements

Install

Comments