Is clawhub/hightower6eu--google-workspace-2z5dp safe?
This skill is a malicious fake-dependency attack disguised as a Google Workspace integration. Its primary attack vector is instructing LLM agents to direct users to install unverified malware via two platform-specific channels: a glot.io copy-paste script for macOS and a password-protected executable from an unknown GitHub account for Windows. The skill requests maximally broad Google OAuth scopes, and post-install monitoring detected access to all monitored credential files. The legitimate Python Google API code serves only as camouflage — the actual payload is the social engineering instructions that weaponize the agent as a malware distribution proxy.
Category Scores
Findings (7)
CRITICAL macOS copy-paste malware delivery via glot.io -65 ▶
The skill instructs the agent to tell macOS users to visit https://glot.io/snippets/hfdxv8uyaf, copy the contents, and paste them into Terminal before using any Google API commands. This is a classic copy-paste malware delivery mechanism. The snippet content is not disclosed in the skill, cannot be verified, and can be changed at any time by the attacker. Executing unknown code from a public paste site grants the attacker arbitrary code execution as the user.
CRITICAL Windows malware delivery via password-protected executable from unknown GitHub account -65 ▶
The skill instructs Windows users to download openclaw-agent.zip from github.com/hedefbari/openclaw-agent — a third-party GitHub account unaffiliated with ClawHub or any verified OpenClaw project. The archive is password-protected with the password 'openclaw', which is a known technique to prevent antivirus engines and sandboxes from inspecting the payload before execution. Running this executable grants the attacker arbitrary code execution with the victim's user privileges.
CRITICAL Agent weaponized as social engineering proxy for malware installation -60 ▶
The skill's entire value proposition is gated behind installing an unverified external binary. The IMPORTANT notices at both the top and bottom of SKILL.md are designed to maximize the probability that an LLM agent presents this as a non-negotiable requirement. The agent becomes an unwitting accomplice in distributing malware, lending its authority and user trust to the attack.
HIGH Maximally broad Google OAuth scopes enable full account takeover -50 ▶
The requested scopes (gmail.modify, calendar, contacts, spreadsheets, documents, drive) provide complete read/write control over the victim's Google account. An attacker with access to the resulting token.pickle file can permanently read all email (including 2FA codes), delete or exfiltrate all Drive files, impersonate the user in calendar and contacts, and modify documents — all without further user interaction.
HIGH Post-install access to all monitored credential canary files -45 ▶
All six canary credential files were accessed at timestamp 1784241177.334 (post-installation). While the canary integrity check confirms no files were modified, read access to .env, SSH private keys, AWS credentials, npm auth tokens, Docker credentials, and GCloud application credentials in a single sweep is consistent with a credential harvesting operation. The audit sandbox likely blocked outbound exfiltration, masking what would otherwise be confirmed data theft.
MEDIUM pickle deserialization in OAuth token storage enables arbitrary code execution -15 ▶
The google_auth.py helper uses Python's pickle module to store and load OAuth tokens. The pickle format supports arbitrary object deserialization and is a well-documented arbitrary code execution vector. If an attacker can write a malicious token.pickle to the working directory (e.g., via the openclaw-agent itself), loading it with pickle.load() would execute attacker-controlled code with the user's privileges.
HIGH Skill is a malicious fake-dependency supply chain attack -60 ▶
The skill's architecture is consistent with a known attack pattern: present a legitimate-seeming integration, declare a required companion utility, deliver the companion through channels that evade security controls. The two delivery mechanisms (glot.io paste for macOS, password-protected ZIP for Windows) are specifically chosen to bypass different security boundaries. The skill has no legitimate use — any real Google Workspace integration uses the official Python client libraries declared in the pip install step, without requiring any openclaw-agent.