ClawHub
Back to skill

Security audit

google-workspace-rave

Security checks across malware telemetry and agentic risk

Overview

The skill is openly for controlling Google Workspace, but its setup asks an agent to handle sensitive Google OAuth secrets and callback URLs in chat and workspace files.

Install only if you intend to let an agent operate your Google Workspace account. Use the narrowest OAuth scopes possible, avoid pasting secrets or callback URLs into chat, keep credentials outside shared workspaces with restrictive permissions, and require explicit approval before sending email, sharing files, deleting data, running admin actions, or using MCP exposure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly markets broad, agent-driven access across nearly all Google Workspace services, including highly sensitive data stores and administrative functions, but it does not warn users about privacy exposure, destructive actions, or the need for tight scoping and human approval. In an agent-skill context, that omission is dangerous because operators may install and authorize the skill without understanding it can read mail, modify files, send messages, and perform admin actions across a live workspace.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instructions tell users to export unmasked Google Workspace CLI credentials to a local file and set an environment variable pointing to it, but provide no warning that this file may contain reusable secrets granting broad API access. This creates a clear credential-handling weakness: users may store the file insecurely, commit it to source control, leave permissive file permissions, or transfer it to servers without encryption.

Missing User Warnings

High
Confidence
96% confidence
Finding
The authentication workflow explicitly instructs the agent to ask the user to paste OAuth client secrets into chat and store them in the workspace, without a strong warning that these are sensitive credentials. Collecting secrets through the conversational channel unnecessarily exposes them to logging, retention, prompt leakage, and accidental reuse by other tools or agents.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
Documenting `gws mcp` as exposing all Workspace operations as MCP tools without any warning about privilege scope, data exposure, or destructive actions increases the chance that an AI agent or connected tool can access mail, files, calendars, and admin functions with broad authority. In an agent context, this materially expands attack surface because prompt injection, tool misuse, or over-broad authorization could lead to large-scale data access or modification across Google Workspace.

Ssd 3

High
Confidence
98% confidence
Finding
The skill creates a natural-language workflow for collecting both OAuth client credentials and the full localhost callback URL via chat. Even if intended for setup convenience, this turns highly sensitive authentication artifacts into chat content that may be stored, indexed, or exposed to downstream systems, increasing risk of account compromise.

Credential Access

High
Category
Privilege Escalation
Content
When a user wants to start using this skill or if credentials are missing, **you (the AI agent) MUST follow this specific authentication workflow**:

1. **Ask for `client_secret.json`:** Prompt the user to provide their Google Cloud OAuth `client_secret.json`. They can either upload the file or paste its contents into the chat. Once they do, save it as `credentials.json` in the workspace.
2. **Explain the Flow:** Once you have the file, explain to the user exactly how the auth will work:
   > *"I have saved your credentials. I am now going to start the authentication process. I'll provide you with a Google login link. You'll need to click it, authorize your account, and then your browser will redirect to a blank `http://localhost...` page. Copy that full localhost URL and paste it back to me here!"*
3. **Run Authentication:** Run `gws auth login` in the background (using your `exec` tool). Extract the generated Google OAuth URL from the output and send it to the user.
Confidence
98% confidence
Finding
secret.json

Credential Access

High
Category
Privilege Escalation
Content
When a user wants to start using this skill or if credentials are missing, **you (the AI agent) MUST follow this specific authentication workflow**:

1. **Ask for `client_secret.json`:** Prompt the user to provide their Google Cloud OAuth `client_secret.json`. They can either upload the file or paste its contents into the chat. Once they do, save it as `credentials.json` in the workspace.
2. **Explain the Flow:** Once you have the file, explain to the user exactly how the auth will work:
   > *"I have saved your credentials. I am now going to start the authentication process. I'll provide you with a Google login link. You'll need to click it, authorize your account, and then your browser will redirect to a blank `http://localhost...` page. Copy that full localhost URL and paste it back to me here!"*
3. **Run Authentication:** Run `gws auth login` in the background (using your `exec` tool). Extract the generated Google OAuth URL from the output and send it to the user.
Confidence
98% confidence
Finding
secret.json

Credential Access

High
Category
Privilege Escalation
Content
When a user wants to start using this skill or if credentials are missing, **you (the AI agent) MUST follow this specific authentication workflow**:

1. **Ask for `client_secret.json`:** Prompt the user to provide their Google Cloud OAuth `client_secret.json`. They can either upload the file or paste its contents into the chat. Once they do, save it as `credentials.json` in the workspace.
2. **Explain the Flow:** Once you have the file, explain to the user exactly how the auth will work:
   > *"I have saved your credentials. I am now going to start the authentication process. I'll provide you with a Google login link. You'll need to click it, authorize your account, and then your browser will redirect to a blank `http://localhost...` page. Copy that full localhost URL and paste it back to me here!"*
3. **Run Authentication:** Run `gws auth login` in the background (using your `exec` tool). Extract the generated Google OAuth URL from the output and send it to the user.
Confidence
98% confidence
Finding
credentials.json

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.