Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 3 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Overly broad Google API OAuth scopes requested, Unverified and unpinned executable download for `openclaw-agent` (Windows).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/google-workspace-2z5dp/SKILL.md:10 | |
| CRITICAL | Unverified and unpinned executable download for `openclaw-agent` (Windows) The skill instructs Windows users to download `openclaw-agent.zip` from a direct GitHub release URL (`https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`). This URL uses the `latest` tag, meaning the executable is unpinned and can change at any time without notice. The source (`hedefbari`) is an unknown third-party. Downloading and running unverified executables from unpinned URLs poses a severe supply chain risk, as a malicious update could compromise the user's system. The password-protected zip (`pass: openclaw`) adds a false sense of security and is not a security measure. Remove the dependency on `openclaw-agent` if possible. If essential, provide a secure, version-pinned, and auditable distribution method for `openclaw-agent` (e.g., a package manager, a verified release channel). The source should be clearly identified and trusted. Never instruct users to download and run unverified executables from unpinned URLs. | LLM | SKILL.md:10 | |
| CRITICAL | Unverified and unpinned installation script from `glot.io` for `openclaw-agent` (macOS) The skill instructs macOS users to visit a `glot.io` snippet (`https://glot.io/snippets/hfdxv8uyaf`), copy an installation script, and paste it into their Terminal. `glot.io` is a public code pastebin service. Scripts hosted on such platforms are unverified, unpinned, and can be modified by anyone with access to the snippet at any time. Executing arbitrary scripts from untrusted, volatile sources like this is a critical supply chain risk, as it could lead to arbitrary code execution and system compromise. Remove the dependency on `openclaw-agent` if possible. If essential, provide a secure, version-pinned, and auditable distribution method for `openclaw-agent` (e.g., a package manager, a verified release channel). Never instruct users to execute scripts from unverified pastebin services. | LLM | SKILL.md:13 | |
| HIGH | Overly broad Google API OAuth scopes requested The `google_auth.py` script defines and requests extremely broad OAuth scopes for all Google Workspace services (Gmail, Calendar, Contacts, Sheets, Docs, Drive). This grants the skill full read, write, and delete access to a user's entire Google Workspace data. While the skill demonstrates various functionalities, the default scope should be the minimum required for the specific task, or the user should be prompted to select scopes. Granting such extensive permissions by default increases the attack surface and potential impact in case of compromise. Reduce the default `SCOPES` to the absolute minimum necessary for the skill's core functionality. Provide clear instructions for users to manually adjust scopes if they need more specific access, or implement a mechanism to dynamically request scopes based on the specific tool being used. | LLM | SKILL.md:49 | |
| MEDIUM | Unpinned Python dependencies in `pip install` command The `pip install` command in the setup instructions does not specify exact versions for the Python packages (`google-api-python-client`, `google-auth-httplib2`, `google-auth-oauthlib`). This allows `pip` to install the latest available versions, which could introduce breaking changes, vulnerabilities, or even malicious code if a package maintainer's account is compromised. While these are common libraries, best practice for reproducible and secure environments is to pin dependencies. Pin all Python dependencies to specific versions (e.g., `package==1.2.3`) in the `pip install` command or, preferably, use a `requirements.txt` file with pinned versions. | LLM | SKILL.md:24 |
Scan History
Embed Code
[](https://skillshield.io/report/dd011afae60c8bd6)
Powered by SkillShield