Back to skill
Skillv1.0.0
ClawScan security
saltshaer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 2:47 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is internally consistent: it is an instruction-only wrapper for the 'gog' Google Workspace CLI and requests installation of that CLI via a Homebrew tap; nothing requested is disproportionate to that purpose.
- Guidance
- This skill simply documents how to use the 'gog' CLI. Before installing: (1) verify the Homebrew tap (steipete/tap) and the formula source (read the tap's repo/homepage) since it's a third-party tap; (2) be prepared to supply OAuth client_secret.json and the Google account to authorize access — the 'gog' CLI will store tokens locally after auth; (3) double-check any 'gog' command that sends mail, creates events, or writes data (the SKILL.md itself notes to confirm before sending mail); and (4) if you don't trust the tap, install the 'gog' binary manually from the project's official releases or inspect its code before use.
Review Dimensions
- Purpose & Capability
- okName/description match the actual requirements and instructions: the skill requires the 'gog' CLI and provides commands for Gmail/Calendar/Drive/Contacts/Sheets/Docs. Requiring/installing 'gog' is expected.
- Instruction Scope
- noteSKILL.md instructs the agent/user to run 'gog auth credentials /path/to/client_secret.json' and to use 'gog' commands; this is in-scope. It also references an optional environment variable (GOG_ACCOUNT) and local OAuth credential files which are not declared in requires.env — a minor documentation mismatch. The instructions do not ask for unrelated system files or credentials.
- Install Mechanism
- noteInstall uses a Homebrew formula (steipete/tap/gogcli) which is a third-party tap. Brew installs are common and lower-risk than arbitrary downloads, but you should verify the tap/formula and its maintainers before installing.
- Credentials
- noteNo required environment variables or credentials are declared, which is appropriate. SKILL.md mentions GOG_ACCOUNT (optional) and expects OAuth client_secret.json to be provided by the user — these are reasonable but are not explicitly declared in requires.env; expect the CLI to store tokens locally after OAuth.
- Persistence & Privilege
- okSkill is user-invocable (not always-on). It does not request elevated persistent platform privileges and has no install scripts bundled in the skill that would modify other skills or system-wide settings.