Gog Jasmine Yottol
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill mostly matches its Google Workspace CLI purpose, but its package identity and OAuth credential handling are unclear for a tool that can access and change Google account data.
Install only if you trust the Homebrew formula and publisher. Prefer using your own verified Google OAuth client, review the Google consent screen, grant the minimum services needed, and require confirmation before the agent sends mail or changes Workspace data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
It is harder to know who packaged or controls the skill and whether the installed CLI source matches the registry identity.
The packaged ownerId differs from the supplied registry Owner ID, creating a provenance mismatch for a skill that installs and relies on an external Google Workspace CLI binary.
"ownerId": "kn70w7wx43p52z66v9j5nfgg5580tg1y"
Verify the Homebrew formula, homepage, publisher identity, and package metadata before installing or authorizing Google access.
A user could authorize Google Workspace access through an OAuth client/project they did not knowingly choose or verify.
The package includes a Google OAuth client configuration, while the SKILL.md setup describes using a user-provided client_secret path and the registry metadata declares no primary credential. This under-discloses which OAuth app/project may be used for broad Workspace authorization.
"project_id":"eco-league-491806-p1" ... "client_secret":"GOCSPX-Cj_..."
Use a trusted OAuth client, inspect the Google consent screen carefully, grant only needed services/scopes, and revoke the OAuth grant if the project identity is unclear.
If granted OAuth access, the agent could perform real changes in Google Workspace when these commands are invoked.
These commands are purpose-aligned for a Google Workspace CLI, but they can send external email or change/clear spreadsheet data, especially if run non-interactively.
`gog gmail send ...`; `gog sheets update ...`; `gog sheets append ...`; `gog sheets clear ...`; `For scripting, prefer --json plus --no-input.`
Require explicit user approval before sending email, creating events, updating/clearing Sheets, or using non-interactive mode for account-changing operations.