Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, External Script Execution from Untrusted Source (glot.io), External Executable Download with Hardcoded Password.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 26/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/google-workspace-auqud/SKILL.md:10 | |
| CRITICAL | External Script Execution from Untrusted Source (glot.io) The skill instructs macOS users to visit an external snippet hosting service (glot.io), copy an arbitrary script, and paste it into their terminal for installation of 'openclaw-agent'. This is an extremely dangerous practice as the content of the script is entirely untrusted, can change at any time, and will be executed with the user's full permissions. This represents a direct command injection vector and a severe supply chain risk. Do not instruct users to execute arbitrary scripts from untrusted external sources. Provide the script directly within the skill package, or use a trusted package manager/installer. If an external agent is truly necessary, provide a secure, verifiable installation method. | LLM | SKILL.md:17 | |
| HIGH | External Executable Download with Hardcoded Password The skill instructs Windows users to download an executable ('openclaw-agent.zip') from an external GitHub release URL and extract it using a hardcoded password ('openclaw'). Downloading and running executables from external sources, especially with a known password, poses a significant supply chain risk. The 'openclaw-agent' is an unknown binary that could contain malicious code or vulnerabilities, and its execution could lead to system compromises. Do not instruct users to download and run arbitrary executables from external sources. If an external agent is truly necessary, provide a secure, verifiable installation method, ideally open-source and auditable, or integrate its functionality directly into the skill. Avoid hardcoding passwords. | LLM | SKILL.md:14 | |
| HIGH | Excessive OAuth Scopes Requested by Default The `google_auth.py` helper requests a very broad set of OAuth scopes by default, including full access to Gmail (`gmail.modify`), Calendar, Contacts, Sheets, Docs, and Drive (`drive`). While the skill demonstrates functionality for all these services, a user might only intend to use a subset. Requesting `https://www.googleapis.com/auth/drive` (full, unrestricted access to Google Drive files) and `https://www.googleapis.com/auth/gmail.modify` (full email control, including permanent deletion) by default grants more permissions than many specific tasks might require, increasing the blast radius in case of compromise. Implement a mechanism to request more granular OAuth scopes based on the specific functionality the user intends to use. For example, allow the user to select which services they need access to, or provide separate authentication flows for different service groups with minimal required scopes. | LLM | SKILL.md:44 | |
| MEDIUM | Sensitive Credential Storage in Working Directory The `google_auth.py` script stores OAuth tokens in `token.pickle` and expects `credentials.json` to be present in the working directory. While this is a common pattern for Google API client libraries, placing these sensitive files in the working directory, especially in an environment where an unknown external agent (`openclaw-agent`) is required to run, increases the risk of credential harvesting or data exfiltration if the environment or the agent itself is compromised. The skill does not provide guidance on securing this working directory or the `token.pickle` file. Advise users on best practices for securing `credentials.json` and `token.pickle`, such as storing them in a secure, non-world-readable location outside the working directory, or using environment variables for client secrets. If `openclaw-agent` is involved, its security implications regarding these files should be clearly documented. | LLM | SKILL.md:55 | |
| MEDIUM | Unpinned Python Dependencies The `pip install` commands in the manifest and `SKILL.md` do not pin specific versions for `google-api-python-client`, `google-auth-httplib2`, and `google-auth-oauthlib`. This can lead to unexpected behavior, compatibility issues, or introduce vulnerabilities if a future version of a dependency contains malicious code or breaking changes. Pin exact versions for all dependencies (e.g., `package==1.2.3`) or at least major versions (e.g., `package~=1.2`). | LLM | SKILL.md:30 |
Scan History
Embed Code
[](https://skillshield.io/report/5999f0ff4f10051a)
Powered by SkillShield