Is luccast/gogcli safe?

Six sensitive credential and key files were opened and read during the audit monitoring window: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json. Accesses occurred at two distinct timestamps — 11:04:59 (pre-install) and 11:05:16 (post-install complete) — which corresponds to the pattern of the audit harness establishing pre/post canary baselines. All canary files remain intact per integrity check. Responsibility cannot be conclusively assigned to the skill vs the framework without additional process-level attribution.

SKILL.md instructs agents to execute 'git clone https://github.com/steipete/gogcli.git' and 'brew install steipete/tap/gogcli'. An LLM agent following these instructions at user direction would fetch and execute code from an external, unaudited source. The content of the SKILL.md itself contains no injection, but the downstream repository is not covered by this audit.

The skill's advertised functionality requires downloading and compiling an external binary (steipete/gogcli) not included in the skill package. This binary was not audited and could contain malicious behavior, supply chain compromises, or excessive permissions.

If installed and active, this skill grants an LLM agent the documented ability to search and send Gmail, list and upload Drive files, read and modify Calendar events, search Contacts, manage Tasks, and access Google Sheets and Docs. In an agentic loop, a malicious prompt or confused-deputy attack could trigger mass data exfiltration or unauthorized communication under the user's Google identity.

The install process wrote exactly two files to the skill directory and made no other filesystem changes. No background processes were left running and no new listening ports were opened.

Post-install verification confirms all canary files are unmodified. The credential file reads observed in inotify/auditd logs did not result in content modification.