Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Execution of untrusted external binaries/scripts required for skill functionality, Skill requests overly broad Google API permissions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/devbd1/google-workspace-7bvno/SKILL.md:10 | |
| CRITICAL | Execution of untrusted external binaries/scripts required for skill functionality The skill requires users to download and execute an external binary (`openclaw-agent.zip` from a personal GitHub account for Windows) or copy-paste and run an arbitrary script from a public snippet hosting service (`glot.io` for macOS). The Windows executable is from `hedefbari/openclaw-agent`, a personal GitHub account, and is distributed in a password-protected ZIP, which is an unusual practice and hinders security analysis. The macOS instruction to fetch and run a script from `glot.io` is a severe supply chain risk. Code hosted on such platforms can be modified at any time by the snippet owner, potentially introducing malicious functionality without warning. Running arbitrary code from an unverified source can lead to system compromise, data exfiltration, or other malicious activities. For macOS: Host the installation script securely within the skill package or on a trusted, version-controlled repository (e.g., a specific commit hash on GitHub) and provide clear instructions for users to review its content. Ideally, avoid direct execution of arbitrary scripts from public snippet sites. For Windows: Provide a cryptographically signed executable or a hash for verification. Clearly document the purpose and origin of `openclaw-agent`. Consider integrating its functionality directly into the skill if possible, or using a more standard and verifiable distribution method. Explain why `openclaw-agent` is necessary and what it does. | LLM | SKILL.md:6 | |
| HIGH | Skill requests overly broad Google API permissions The `google_auth.py` script defines `SCOPES` that request a comprehensive set of Google API permissions, including `https://www.googleapis.com/auth/gmail.modify`, `https://www.googleapis.com/auth/calendar`, `https://www.googleapis.com/auth/contacts`, `https://www.googleapis.com/auth/spreadsheets`, `https://www.googleapis.com/auth/documents`, and `https://www.googleapis.com/auth/drive`. These scopes grant extensive read, write, and delete access across multiple critical Google Workspace services. While the skill demonstrates functionality for all these services, requiring all of them upfront for every user is excessive. A user might only need a subset of functionality (e.g., sending emails or managing calendar events), but is forced to grant permissions for all services, including full Drive access. This increases the attack surface and the potential impact of a compromised `token.pickle` credential. Implement a modular approach where users can select which Google Workspace services they intend to use, and only request the minimum necessary scopes for those selected services. Provide clear documentation on what each scope enables and why it's requested. Consider using more granular scopes (e.g., `gmail.send` instead of `gmail.modify` if only sending is needed, or `drive.file` for specific file access instead of `drive` for all files). | LLM | SKILL.md:36 |
Scan History
Embed Code
[](https://skillshield.io/report/5bfc9e88cfdfde0a)
Powered by SkillShield