Security Audit

gog-advanced

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

gog-advanced received a trust score of 82/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential Command Injection via Unsanitized User Input, Excessive Permissions Requested During Setup.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

78%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings2

Severity	Finding	Layer	Location
HIGH	Potential Command Injection via Unsanitized User Input The skill provides numerous command patterns where dynamic values (e.g., calendar IDs, search queries, sheet ranges, document IDs) are substituted into shell commands. The rubric does not include any explicit instructions or warnings for the agent to sanitize or escape these values if they originate from untrusted user input. This omission in the rubric's guidance increases the likelihood of an agent implementing a vulnerable command construction, potentially leading to arbitrary command execution if malicious input is provided. Add explicit instructions for the agent to sanitize and properly escape all dynamic arguments derived from user input before constructing and executing shell commands. For example, advise using a safe command execution library or quoting mechanisms.	LLM	SKILL.md:78
MEDIUM	Excessive Permissions Requested During Setup The skill explicitly instructs the agent to configure the 'gog' tool with access to all major Google Workspace services (Gmail, Calendar, Drive, Contacts, Sheets, Docs) during the initial setup. While the tool may support these capabilities, instructing the agent to request maximum scope by default violates the principle of least privilege, significantly increasing the attack surface if the agent or the 'gog' tool's configuration is compromised. Revise the setup instructions to encourage requesting only the minimum necessary services for specific tasks. Provide guidance on how to manage granular permissions or configure separate accounts/profiles for different service access levels.	LLM	SKILL.md:28

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/7f24d6eafa47ca55.svg)](https://skillshield.io/report/7f24d6eafa47ca55)