Is jacobo-create/backup-gog-20260213-121122 safe?

https://github.com/openclaw/skills/tree/main/skills/jacobo-create/backup-gog-20260213-121122

90
SAFE

This skill is clean documentation for the 'gog' Google Workspace CLI tool with no prompt injection, no executable code, no git hooks, and a straightforward GitHub-only install. The primary risk is contextual rather than adversarial: once the user completes manual OAuth setup, the agent gains broad simultaneous access to Gmail, Calendar, Drive, Contacts, Sheets, and Docs, and the documented --no-input scripting mode can suppress action confirmations for sensitive operations like sending email.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (5)

LOW --no-input flag suppresses interactive confirmation -12

The SKILL.md Notes section explicitly recommends '--no-input' for scripting scenarios. When an agent uses 'gog gmail send --no-input', the tool will send email without pausing for user confirmation, directly contradicting the skill's own advisory ('Confirm before sending mail or creating events'). This creates a path where a manipulated agent could send emails silently.

LOW Overly broad OAuth scope covers all Google Workspace services -15

The skill's setup instructions request OAuth authorization for gmail, calendar, drive, contacts, sheets, and docs simultaneously in a single auth add command. This maximizes the blast radius if the agent is later manipulated — a single compromised agent session has read/write access to the user's entire Google Workspace. A more conservative skill would scope each service separately or on-demand.

LOW Third-party Homebrew tap supply chain dependency -8

The clawdbot install metadata specifies the formula as 'steipete/tap/gogcli', a personal Homebrew tap maintained by an individual developer rather than an official Google or widely-audited organization. While outside the scope of this skill's files, users installing the binary tool are taking a supply chain dependency on that tap's ongoing integrity.

INFO No executable code, hooks, or submodules present 0

The skill payload consists exclusively of SKILL.md and _meta.json. Filesystem diff confirms only these two files were added. No package.json lifecycle hooks, no gitattributes filter drivers, no gitmodules, no symlinks, and no shell scripts were found.

INFO Clean install with GitHub-only network activity 0

The installation process made a single HTTPS connection to GitHub (140.82.121.3:443) to perform the sparse monorepo clone. No data exfiltration endpoints, unexpected DNS queries, or background processes were observed. Network state before and after install is equivalent.