Is gcloud safe?

https://clawhub.ai/jortega0033/gcloud

82
SAFE

This is a documentation-only GCP CLI reference skill containing no executable code, no prompt injection, and no malicious content. The skill itself is benign — it provides standard gcloud, gsutil, and firebase CLI command templates. The primary risk is operational: an agent with real GCP credentials could execute destructive infrastructure commands (delete instances, destroy secrets, modify IAM) without user confirmation. The AWS credentials file access during installation appears to be platform behavior, not skill-initiated.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (6)

MEDIUM Comprehensive infrastructure control without guardrails -25

The skill provides commands for creating, modifying, and deleting GCP infrastructure including VMs, Cloud SQL instances, secrets, container images, and IAM policies. An agent with configured gcloud credentials could execute destructive operations. The skill does not include any warnings or confirmation prompts for destructive actions.

LOW Installation requires executing remote script -12

The Installation section instructs downloading and executing the Google Cloud SDK install script from Google's CDN. While this is the official installation method, it involves piping a downloaded script to the shell. The firebase-tools npm global install is also a remote code execution vector, though both are well-known Google-maintained packages.

LOW Secret Manager access commands could surface credentials -18

The skill documents 'gcloud secrets versions access latest --secret=SECRET_NAME' which outputs secret values to stdout. If an agent executes this command, sensitive values could appear in conversation logs or be processed by the LLM. Similarly, gsutil cp could transfer local files to remote buckets.

MEDIUM Cloud storage sync could exfiltrate local data -10

The gsutil rsync and cp commands could be used to upload arbitrary local files to cloud storage. While this is the intended functionality, an agent could be socially engineered into syncing sensitive directories.

LOW Broad scope description may trigger over-eager skill activation -10

The skill description covers Compute Engine, Cloud Run, Firebase, Cloud Storage, Secret Manager, Cloud SQL, Artifact Registry, billing, and more. This broad scope means the skill could be activated for many GCP-related queries, giving the agent access to the full command reference even when only a subset is needed.

INFO AWS credentials file accessed during installation -15

The monitoring log shows /home/oc-exec/.aws/credentials was opened during the skill installation process. This appears to be the openclaw platform's agent initialization behavior rather than the skill itself, as there is no code in the skill that would trigger this access. The file was only read (CLOSE_NOWRITE), not modified.