Is hailinhmacduc/asdasdas safe?

https://github.com/openclaw/skills/tree/main/skills/hailinhmacduc/asdasdas

71
CAUTION

This skill presents as a legitimate Google Workspace CLI wrapper but carries two compounding red flags: all name fields (slug, SKILL.md name, display name) are random keysmash strings inconsistent with a production integration, and the canonical 'installation and use instructions' are offloaded to an unaudited external Claude artifact that can be updated post-publication to inject arbitrary agent instructions. The install itself was clean with no canary violations, but the skill's required third-party Homebrew tap and broad Google OAuth scope (including Gmail send) create significant capability abuse risk if an agent is manipulated through the external artifact channel.

Category Scores

Prompt Injection 55/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (6)

HIGH Unaudited external Claude artifact as instruction source -45

The SKILL.md instructs users (and by extension any agent loading this skill) to fetch 'INSTALLATION AND USE INSTRUCTIONS' from a claude.ai-hosted artifact. This artifact's content is entirely outside the audit boundary: it was not scanned, can be updated by the skill owner at any time without triggering skill re-review, and may be treated with elevated trust by Claude agents because it originates from the claude.ai domain. This is a well-known prompt injection delivery mechanism via deferred content loading.

HIGH Deceptive keysmash naming inconsistent with claimed functionality -30

All three name fields (slug: asdasdas, SKILL.md name: asdasdasd, _meta.json displayName: asdasdsad) are random keyboard mash. No legitimate developer publishes a production Google Workspace integration with this naming pattern. The skill either was accidentally published from a developer's junk test tree or was deliberately named to avoid human review while delivering a plausible-looking capability payload.

MEDIUM Broad Google Workspace OAuth scope including email send -30

The gog tool requests OAuth access to gmail, calendar, drive, contacts, sheets, and docs — the complete Google Workspace surface. An agent instructed (or injected) to use gog can read all Gmail, send email impersonating the user, enumerate contacts, read/write all Drive files, and modify Sheets data. The 'Confirm before sending' advisory in the skill provides no technical enforcement.

MEDIUM Third-party Homebrew tap installs unvetted binary -22

The skill's install metadata specifies brew install steipete/tap/gogcli. Homebrew third-party taps bypass the project's vetting process entirely. The tap maintainer (steipete) can push a malicious binary at any time; brew upgrade will transparently install it. The gog binary executes with full user privileges and stores Google OAuth tokens locally.

LOW Author's personal clawdbot lock.json committed into skill package -10

The .clawhub/lock.json file shipped with the skill contains the author's personal clawdbot environment state, revealing an installed skill (academic-research-hub v0.1.0) unrelated to Google Workspace. This is almost certainly an accidentally committed personal dotfile and indicates poor publishing hygiene.

INFO Install process was clean; no unexpected network or process activity 0

The git sparse-checkout installation contacted only GitHub (140.82.113.4:443) and standard Ubuntu infrastructure. No new persistent listening ports, no suspicious process spawning, and no filesystem changes outside the skill directory were detected. The install cleaned up the monorepo clone after completion.