Trust Assessment
gogcli received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Missing required field: name, Untrusted Third-Party Dependencies in Installation, Command Injection via Sudo Make Install from Untrusted Source.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via Sudo Make Install from Untrusted Source The installation process includes `sudo make install` after cloning an unverified GitHub repository. If the `Makefile` from the cloned repository is malicious due to a supply chain compromise, running this command with `sudo` would grant arbitrary commands root privileges, leading to a critical system compromise. Avoid `sudo make install` from unverified sources. If necessary, provide clear warnings about the risks and instruct users to thoroughly audit the `Makefile` and source code before execution. Consider alternative installation methods that do not require root privileges or rely on trusted package managers. | LLM | SKILL.md:31 | |
| HIGH | Untrusted Third-Party Dependencies in Installation The skill's installation instructions rely on unverified third-party sources. Installing via `brew install steipete/tap/gogcli` or `git clone https://github.com/steipete/gogcli.git` introduces a supply chain risk. If the Homebrew tap or the GitHub repository is compromised, malicious code could be injected and executed on the user's system. Recommend using official package repositories, providing checksums for verification, or instructing users to audit the source code before installation. Clearly state the risks of installing from unverified sources. | LLM | SKILL.md:20 | |
| MEDIUM | Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter. | Static | skills/luccast/gogcli/SKILL.md:1 | |
| MEDIUM | Potential for Excessive OAuth Permissions The skill guides the user to create OAuth client credentials for Google Workspace APIs. While it states 'Enable APIs you need', it does not provide guidance on minimizing scopes or the security implications of granting broad access. The tool's functionality spans many sensitive Google services (Gmail, Drive, Calendar, Contacts), increasing the risk that an overly permissive OAuth client could be created, leading to excessive access to the user's Google account. Provide explicit guidance on the principle of least privilege for OAuth scopes. Recommend enabling only the absolute minimum APIs required for specific tasks and clearly explain the security implications of granting broad access to Google services. | LLM | SKILL.md:44 |
Scan History
Embed Code
[](https://skillshield.io/report/36679e85802d9aca)
Powered by SkillShield