ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Contacts Search

v1.0.1

Atomic node skill to search google contacts. Loops internally until successful.

0· 67·1 current·1 all-time
by@zvirb

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zvirb/google-contacts-search.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Google Contacts Search" (zvirb/google-contacts-search) from ClawHub.
Skill page: https://clawhub.ai/zvirb/google-contacts-search
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: COMPOSIO_API_KEY
Required binaries: gog
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install google-contacts-search

ClawHub CLI

Package manager switcher

npx clawhub@latest install google-contacts-search
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to search Google Contacts but does not request any Google/People API credentials (OAuth token, GOOGLE_API_KEY, GOOGLE_CLIENT_ID/SECRET). Instead it requires an unrelated-looking environment variable COMPOSIO_API_KEY and a binary named 'gog'. There's no homepage or source to explain how those map to Google Contacts access. This mismatch suggests the declared requirements are not aligned with the stated purpose.
Instruction Scope
SKILL.md is very minimal and contains no concrete runtime steps for authenticating to Google, calling the People/Contacts API, or using the 'gog' binary. The description 'Loops internally until successful' is vague and could allow repeated network calls. Because instructions are underspecified, it's unclear what the agent will actually do when invoked.
Install Mechanism
No install spec and no code files — this is instruction-only, so nothing is written to disk by an installer. That reduces some risk, but does not resolve the coherence issues above.
!
Credentials
Requiring COMPOSIO_API_KEY (a generic-sounding secret) is disproportionate and unexplained for a Google Contacts search skill. No Google-specific credentials are requested. Requiring the 'gog' binary is also unexplained. Asking for unrelated or unexplained secrets increases the risk of credential misuse or exfiltration.
Persistence & Privilege
The skill does not request always:true, has no config path requirements, and is user-invocable only; it does not request elevated persistence or system-wide changes.
What to consider before installing
Do not install or run this skill until the author explains the missing pieces. Specifically: - Ask the author to document how the skill authenticates to Google Contacts and why COMPOSIO_API_KEY is required. Confirm whether COMPOSIO_API_KEY is an unrelated service credential and what permissions it grants. - Ask for the source code or a trustworthy homepage so you can verify what the 'gog' binary is and why it is needed. Do not provide secrets until you understand their purpose. - Prefer a version that requests Google-specific credentials (OAuth token or Google API credentials) or that documents using a well-known proxy service and why that is safe. - If you must test it, do so with limited/throwaway credentials in an isolated environment and monitor network activity. If the author cannot explain the mismatch, avoid installing the skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsgog
EnvCOMPOSIO_API_KEY
latestvk970aezth3w23zmjzeg2fzsf9n85je9d
67downloads
0stars
2versions
Updated 1d ago
v1.0.1
MIT-0
@zvirb
latest
Download

Lean Philosophy (Principles)

  • Kaizen (改善): This skill is an atomic node, broken down into its simplest, smallest component to eliminate waste and ensure perfection.
  • Standardized Work (Hyojun Sagyo): This node represents the most efficient, standardized path for this specific task before automation.
  • Jidoka (自働化): This node includes autonomous defect detection. It will stop immediately and report if it cannot achieve the expected outcome.

Google Contacts Search

Role

You are a precise tool orchestration node. Your only responsibility is to search google contacts.

Input

A JSON object containing the required parameters for the execution.

Expected Output

A JSON array representing the result of the operation.

Comments

Loading comments...