Is kyesh/google-workspace-byok safe?

The package-lock.json packages[""].dependencies section declares pdf-parse@^2.4.5 as a direct project dependency. This package is entirely absent from package.json and unmentioned in SKILL.md, which only documents mupdf for PDF processing. In npm lockfileVersion 3 format, the packages[""] entry represents installed direct dependencies. Any user running 'npm ci' (which treats the lock file as authoritative) will silently install pdf-parse and its full dependency tree including native binary packages. This is a classic supply chain obfuscation pattern: package.json appears clean while the lock file carries hidden dependencies.

[email protected] depends on @napi-rs/[email protected], which distributes pre-compiled native binaries for 10 platform combinations (linux-x64-gnu, linux-x64-musl, linux-arm64-gnu, linux-arm64-musl, linux-arm-gnueabihf, linux-riscv64-gnu, darwin-arm64, darwin-x64, win32-x64-msvc, android-arm64). These are pre-compiled C++ shared libraries that execute directly in the process, bypassing any JavaScript sandboxing. [email protected] is also pulled in as a large secondary dependency.

auth.js uses SCOPES_READWRITE by default, which includes the full https://www.googleapis.com/auth/calendar scope granting read and write access to all calendars. The skill's stated purpose (listing calendars, listing events, checking free/busy) requires only https://www.googleapis.com/auth/calendar.readonly. The --readonly flag exists but is not the default. In an agentic context, this means the LLM agent can create, modify, and delete calendar events, not merely read them.

The gmail.readonly OAuth scope allows the agent to search, list, and read every email in the user's Gmail account, including downloading all attachments. The gmail.js script supports arbitrary Gmail search queries, meaning the agent can be instructed to search for password reset emails, financial statements, or other sensitive content. Combined with other skills or adversarial prompt injection from email content itself, this creates a significant data exposure surface.

The getAuthClient() function in shared.js sets up automatic token refresh and persists new tokens on refresh via the 'tokens' event. These tokens, including long-lived refresh tokens, are stored as plaintext JSON in ~/.openclaw/google-workspace-byok/tokens/.json. A compromised local environment or backup gives an attacker permanent access to the user's Gmail and Calendar without requiring re-authentication. The 7-day expiry for testing apps is bypassed if published to Production as SKILL.md recommends.

The gmail.js attachment download action writes email attachment data to --out-dir paths specified at runtime. The SKILL.md examples default to /tmp/attachments. In an agent context, a malicious email could contain attachments with crafted filenames. No filename sanitization is visible in the documented usage or script code. The agent could potentially be instructed to use a different --out-dir to write files to sensitive locations.

SKILL.md explicitly describes and documents mupdf for PDF text extraction, providing inline Node.js code examples using the mupdf API. However, the lock file secretly includes pdf-parse (a completely different PDF library by a different author) with no use of pdf-parse found in any of the five JavaScript source files. The coexistence of two PDF processing libraries—one documented, one hidden—with no code referencing the hidden one is unexplained and suspicious.

Filesystem monitoring detected open+read events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json at two time points. Timing analysis places the first access (~1771929444.705) immediately after the Oathe ss-tunap network baseline command, and the second access (~1771929462.377) immediately after the Oathe skill file scanning phase completed—both consistent with monitoring system canary baseline and teardown reads. Canary integrity check confirmed all files unmodified.