Is kai-jar/gmail-oauth safe?

https://github.com/openclaw/skills/tree/main/skills/kai-jar/gmail-oauth

87
SAFE

The kai-jar/gmail-oauth skill is a legitimate, well-written documentation and helper script for setting up headless Gmail OAuth flows using the gog CLI. The SKILL.md contains no prompt injection, hidden instructions, or obfuscation. The included bash script communicates exclusively with Google's OAuth endpoints and performs standard token exchange. Primary risks are: OAuth client credentials are transiently exposed in the process list during curl execution, the skill normalizes dismissal of Google security warnings, and the resulting gmail.modify tokens grant broad Gmail access that could be leveraged if subsequent malicious skills access the gog keyring.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

MEDIUM OAuth credentials transiently exposed in process list -15

The exchange_code function in gmail-auth.sh passes CLIENT_ID and CLIENT_SECRET as curl -d arguments. These values are visible in /proc//cmdline and ps output for the duration of the curl call. An attacker with local process visibility could capture them.

LOW Third-party homebrew tap dependency not audited -10

SKILL.md instructs installation of 'steipete/tap/gogcli' from a personal homebrew tap. The gog CLI itself is out of scope for this audit but represents an unaudited dependency that handles Gmail tokens and API access.

LOW Normalizes dismissal of Google security warnings -5

SKILL.md explicitly instructs users (and by extension agents) to click 'Advanced' then 'Go to [app name] (unsafe)' to bypass Google's unverified app warning. While accurate for personal use, this pattern conditions users to dismiss security prompts.

LOW gmail.modify scope grants broad email access -17

The skill defaults to gmail.modify scope, which grants the authorized agent read, send, delete, and label management over the user's entire Gmail account. If the resulting tokens are accessible to a malicious skill or agent, this represents significant account access.

INFO Canary files read twice during audit session 0

Sensitive canary files were accessed at both pre-clone and post-install timestamps. Access pattern (CLOSE_NOWRITE, both rounds) is consistent with the audit harness performing integrity baseline and verification reads rather than skill-initiated exfiltration.