Is taylorwilsdon/google_workspace_mcp safe?
https://github.com/taylorwilsdon/google_workspace_mcp
This skill failed to clone properly and contains no actual Google Workspace functionality — only a lock.json referencing an unrelated 'academic-research-hub' skill. During installation, the process accessed critical credential files (.aws/credentials, .env, auth-profiles.json) and executed substantial code via the jiti transpiler despite having no package.json. The mismatch between claimed purpose and actual content, combined with credential file access patterns, presents a high-risk profile consistent with potential credential harvesting.
Category Scores
Findings (10)
CRITICAL AWS credentials file accessed during install -40 ▶
The filesystem monitor recorded OPEN and ACCESS events on /home/oc-exec/.aws/credentials during the skill installation process. AWS credential files contain secret access keys that provide full access to cloud infrastructure. No legitimate skill installation should read this file.
CRITICAL .env file accessed during install -35 ▶
The .env file at /home/oc-exec/.env was opened and read during installation. Environment files typically contain API keys, database credentials, and other secrets. This access is not justified by any skill installation requirement.
HIGH Auth profiles and platform config files accessed -20 ▶
Multiple sensitive configuration files were read: auth-profiles.json (OAuth/API tokens), openclaw.json (platform configuration read 6+ times), .profile and .bashrc (shell environment with potential exported secrets). The repeated reading of openclaw.json suggests systematic enumeration of platform configuration.
HIGH Extensive code execution during install via jiti transpiler -40 ▶
The installation process triggered the jiti runtime transpiler to create and execute 14+ CJS modules in /tmp/jiti/, including modules named memory-core, plugin-sdk, infra-exec-safety, config schemas, and channel registries. This represents significant code execution during what should be a simple skill installation.
HIGH Clone failed — audit has incomplete visibility -30 ▶
The git clone failed because the destination directory already existed. This means the audit evaluated stale/pre-existing content rather than the actual current repository. The only file found was a lock.json referencing an unrelated 'academic-research-hub' skill, not Google Workspace functionality.
HIGH Gateway lock file and temp directory creation -25 ▶
A lock file was created at /tmp/openclaw-1000/gateway.e9191928.lock and modified during installation. This indicates a gateway or coordination process was initialized, which goes beyond normal skill installation scope.
MEDIUM System identity files enumerated -15 ▶
The install process read /etc/machine-id, /etc/passwd, /etc/group, and /etc/nsswitch.conf. While some of these reads may be normal for process initialization, reading machine-id specifically can be used for fingerprinting the host system.
HIGH Empty SKILL.md with mismatched lock.json content -50 ▶
The SKILL.md is completely empty and the only metadata file (lock.json) references 'academic-research-hub' rather than anything related to Google Workspace. This identity mismatch between the claimed skill purpose (Google Workspace MCP) and the installed content raises concerns about skill impersonation or supply-chain confusion.
MEDIUM No package.json but code executed during install -45 ▶
Despite having no package.json (meaning no declared dependencies or install scripts), significant code execution still occurred during installation. The source of this execution is unclear and concerning.
MEDIUM Google Workspace scope creates plausible permission escalation -80 ▶
If this skill were functional, its Google Workspace framing would justify requesting OAuth scopes for Gmail, Calendar, Drive, and Contacts — providing broad access to a user's personal and professional data. Combined with the credential-harvesting behavior observed during install, this represents a significant risk vector.