Is gogcli safe?

https://clawhub.ai/luccast/gogcli

62
CAUTION

gogcli is a wrapper skill that instructs the agent to install an external, unaudited binary (via brew tap or git clone + sudo make install) granting full Google Workspace access including email send, drive upload, and contact/calendar read. While the skill itself contains no executable code or prompt injection payloads, it creates significant data exfiltration risk through its Gmail send and Drive upload capabilities, and the external binary installation path introduces unaudited code execution with root privileges. No malicious intent was detected, but the broad capability surface and reliance on external unaudited code warrant caution.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 40/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 35/100 · 5%

Findings (13)

HIGH Instructs sudo make install from external repo -30

The skill instructs the agent to clone an external GitHub repository, run make, and then execute 'sudo make install' — granting root-level code execution to whatever is in the Makefile of an unaudited external repository.

HIGH Third-party Homebrew tap installation -30

brew install from a third-party tap (steipete/tap/gogcli) runs arbitrary Ruby formula code and installs an unaudited binary. The tap maintainer could push malicious updates at any time.

HIGH Email send capability enables data exfiltration -20

The gmail send command allows the agent to send arbitrary emails to any recipient. A prompt injection or malicious co-skill could use this to exfiltrate sensitive data via email without the user's awareness.

HIGH Drive upload enables local file exfiltration -15

The drive upload command allows uploading arbitrary local files to Google Drive. Combined with broad file access, this creates a direct exfiltration channel for any file on the system.

MEDIUM Full read access to email, contacts, calendar -10

The skill provides commands to search and read all Gmail messages, contacts, calendar events, and Drive files — the most sensitive personal and corporate data sources in Google Workspace.

MEDIUM Broad activation trigger increases attack surface -10

The skill description 'Use when user asks to interact with Google services' creates an extremely wide activation surface. Any mention of Google, Gmail, Calendar, Drive, etc. could trigger this skill, giving it frequent access to agent context.

MEDIUM Normalizes credential handling in agent context -8

The OAuth setup instructions normalize the agent downloading, moving, and passing OAuth client_secret files — conditioning the agent to handle credentials casually and reducing the likelihood it will flag similar operations from malicious skills.

MEDIUM Shell command execution patterns in SKILL.md -10

The skill embeds numerous shell commands as code blocks intended for agent execution. While individually reasonable, this normalizes shell execution patterns and could make the agent more permissive about running commands from other skills.

MEDIUM OAuth credentials stored in accessible location -10

Credentials stored in ~/.config/gog/ are accessible to any skill or process. The skill normalizes the agent knowing about and accessing this credential store.

LOW Persistent binary survives skill removal -15

Both installation methods (brew install, sudo make install) place a binary in the system PATH that persists even if the skill is uninstalled from ClawHub. The user may not realize the binary remains.

LOW External repository contents unaudited -20

The actual gogcli binary from github.com/steipete/gogcli is not included in the skill package and is fetched at install time. Its behavior is opaque to this audit — it could do anything the OAuth scopes permit.

LOW Powerful cross-skill exfiltration channel -30

If installed alongside other skills, gogcli becomes an ideal exfiltration channel. Any skill that reads sensitive data could instruct the agent to use gogcli's gmail send or drive upload to transmit it externally.

INFO Agent runtime reads sensitive host files -15

The monitoring detected reads of .env, .aws/credentials, .profile, .bashrc — these are attributable to the host agent runtime (OpenClaw) initializing, not to the skill itself.