Is google-workspace-admin safe?

https://clawhub.ai/byungkyu/google-workspace-admin

72
CAUTION

This skill is a documentation-only wrapper for Google Workspace Admin SDK operations proxied through Maton's third-party gateway. It contains no executable code or direct malicious content, but all Google Workspace data and OAuth tokens are routed through and stored by Maton (gateway.maton.ai/ctrl.maton.ai), creating significant third-party trust dependency. The skill provides an AI agent with full organizational admin capabilities including user creation/deletion, admin privilege escalation, and group management — operations that carry inherent risk when delegated to an AI agent through a third-party intermediary.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH All data routed through third-party proxy (Maton) -25

Every API call passes through gateway.maton.ai rather than directly to admin.googleapis.com. Maton holds the OAuth tokens and acts as a man-in-the-middle for all Google Workspace admin operations. This gives Maton full visibility into user management, group structures, organizational units, and domain settings.

HIGH OAuth token management delegated to third party -15

OAuth connections are created and managed via ctrl.maton.ai. The user's Google Workspace OAuth tokens are stored by Maton, not locally. This means Maton has persistent access to the user's Google Workspace admin account even when the skill is not actively being used.

MEDIUM Cross-skill reference in description -15

The skill description explicitly references and recommends another skill (api-gateway) by full URL. This could lead to chained skill installation, expanding the agent's capabilities and attack surface beyond what the user originally intended.

MEDIUM Skill instructs agent to execute inline Python code -12

All code examples use python heredoc patterns (python <<'EOF'...EOF) that the agent is expected to execute. While these are standard API call patterns, they normalize the agent executing arbitrary code blocks from skill documentation, which could be exploited by a modified or trojanized version.

MEDIUM Full admin privilege escalation capability -30

The skill provides the agent with the ability to make any user a super admin via the makeAdmin endpoint. An agent could be socially engineered or prompt-injected into elevating privileges for an attacker-controlled account.

MEDIUM Destructive operations available without confirmation gates -25

The skill documents user deletion, group deletion, org unit deletion, and member removal without any built-in confirmation mechanism. An agent following these instructions could perform irreversible destructive operations on the organization's directory.

LOW Environment variable access requirement -5

The skill requires MATON_API_KEY to be set as an environment variable. While necessary for operation, this means the agent has access to a credential that provides authenticated access to a third-party service with Google Workspace admin powers.

LOW Sensitive file reads during installation -15

During the install phase, the monitoring detected reads of .env, .aws/credentials, and various OpenClaw config files. These appear to be platform-level behavior rather than skill-initiated, but they indicate the install environment has access to sensitive credentials.

INFO Documentation-only skill with no executable code -10

The skill contains only SKILL.md, _meta.json, LICENSE.txt, and origin.json. No executable scripts, no package.json dependencies, no git hooks or submodules. The skill is purely instructional documentation for an API proxy.