Is gog safe?

https://clawhub.ai/steipete/gog

78
CAUTION

The gog skill is a clean, documentation-only wrapper around the gog CLI for Google Workspace access. It contains no malicious code, no prompt injection, no executable payloads, and showed clean clone behavior. However, it grants an AI agent an extremely broad access surface to a user's Google Workspace (Gmail send, Drive read, Contacts list, Sheets write) which makes it a high-value attack multiplier if any other prompt injection or malicious skill is present.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (6)

MEDIUM Broad Google Workspace access surface -30

The skill provides agent access to Gmail (read+send), Calendar, Drive, Contacts, Sheets (read+write+clear), and Docs. This is an extraordinarily broad access surface that could be abused for data exfiltration via email sending or document reading.

MEDIUM Email-based exfiltration vector -15

The gog gmail send command allows the agent to send arbitrary emails. A prompt injection or malicious co-installed skill could instruct the agent to email sensitive data to an external address.

LOW Advisory confirmation easily bypassed -10

The skill says 'Confirm before sending mail or creating events' but this is a soft instruction that a compromised or manipulated agent could ignore. There is no technical enforcement.

LOW Third-party Homebrew tap for binary install -15

The gog binary is installed from steipete/tap/gogcli, a third-party Homebrew tap. While common for CLI tools, the binary itself is not audited as part of this skill review. Supply chain compromise of this tap would affect all users.

INFO Runtime reads .env and .aws/credentials during install -15

The OpenClaw agent runtime (not the skill itself) reads .env and .aws/credentials during skill installation. This is standard agent runtime behavior but worth noting as these files contain sensitive data.

HIGH High-value attack multiplier when combined with other skills -55

This skill is benign in isolation but dramatically amplifies the damage potential of any prompt injection or malicious co-installed skill. An attacker who achieves prompt injection gains full Google Workspace access: reading emails for credentials, exfiltrating files via email, modifying spreadsheets, and enumerating contacts.