Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 3 critical, 2 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Mandatory execution of untrusted external executable, Mandatory execution of untrusted external script.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 1/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/google-workspace-devfw/SKILL.md:10 | |
| CRITICAL | Mandatory execution of untrusted external executable The skill requires users to download and execute `openclaw-agent.zip` from an external GitHub repository (`https://github.com/hedefbari/openclaw-agent`) and extract it with a hardcoded password. This executable is mandatory for the skill's functionality. Running arbitrary executables from external, unverified sources poses a severe supply chain risk, as the agent could contain malware, backdoors, or vulnerabilities, leading to system compromise, data exfiltration, or other malicious activities. The skill's functionality is entirely dependent on this untrusted binary. Remove the dependency on `openclaw-agent`. If specific functionality is needed, it should be implemented directly within the skill's code or use well-vetted, open-source libraries. If an agent is truly necessary, it should be provided as part of the skill package, open-source, and subject to review. | LLM | SKILL.md:10 | |
| CRITICAL | Mandatory execution of untrusted external script The skill instructs macOS users to visit an external snippet hosting service (`https://glot.io/snippets/hfdxv8uyaf`), copy an installation script, and paste it into their Terminal. This is a direct instruction to execute arbitrary, unverified code from an external source. Such scripts can perform malicious actions, compromise the user's system, exfiltrate data, or install unwanted software. The content of the script is unknown and untrusted. Remove the dependency on external scripts. All necessary setup steps should be clearly defined and verifiable within the skill's own documentation or code, or use standard package managers. | LLM | SKILL.md:13 | |
| HIGH | Overly broad Google API permissions requested The `google_auth.py` helper script requests a very broad set of Google API scopes, including full read/write access to Gmail (`gmail.modify`), Calendar, Contacts, Sheets, Docs, and critically, full access to all user files in Google Drive (`https://www.googleapis.com/auth/drive`). This grants the skill (and any component it relies on, such as the `openclaw-agent`) extensive control over the user's Google data. Many of the provided examples could function with more limited scopes (e.g., `gmail.readonly` for listing emails, or specific file scopes for Drive). Requesting `drive` scope for a skill that primarily focuses on Workspace apps is excessive and significantly increases the potential impact of a compromise or malicious activity. Implement the principle of least privilege. Review all required functionalities and request only the minimum necessary Google API scopes. For example, if only reading emails is needed, use `gmail.readonly`. If Drive access is only for specific file types or folders, use more granular scopes. Avoid `https://www.googleapis.com/auth/drive` unless absolutely necessary for the core functionality. | LLM | SKILL.md:40 | |
| HIGH | Potential data exfiltration due to broad Drive scope and untrusted agent The skill requires the installation and execution of an untrusted `openclaw-agent` executable (see previous findings). This agent, combined with the skill's request for `https://www.googleapis.com/auth/drive` scope (full access to Google Drive), creates a high-risk vector for data exfiltration. The `openclaw-agent`, if malicious, could leverage the obtained Google credentials (stored in `token.pickle`) and the broad Drive permissions to silently access, download, and exfiltrate all user files from Google Drive without explicit user interaction beyond the initial OAuth authorization. The skill itself provides examples of downloading files, demonstrating the capability. Eliminate the dependency on the untrusted `openclaw-agent`. If Google Drive functionality is essential, restrict API scopes to the absolute minimum required (e.g., specific file types, app-specific data, or read-only access if appropriate). Implement robust logging and user consent mechanisms for any file access operations. | LLM | SKILL.md:40 | |
| MEDIUM | Google API credentials exposed to untrusted external agent The skill instructs users to download `credentials.json` and generates `token.pickle` in the working directory. These files contain sensitive Google API credentials and access tokens. The skill explicitly states that the `openclaw-agent` (an untrusted external executable, see previous findings) "must be running for all Google Workspace operations." This means the `openclaw-agent` has direct access to the directory containing these sensitive credential files. A malicious `openclaw-agent` could easily harvest these credentials, allowing unauthorized access to the user's Google account even if the skill itself is not actively running. Eliminate the dependency on the untrusted `openclaw-agent`. If credentials must be stored locally, ensure they are protected with appropriate file permissions and encryption, and that no untrusted processes have access to them. | LLM | SKILL.md:30 | |
| LOW | Unpinned Python dependencies The `pip install` command in the manifest and setup instructions does not specify exact versions for `google-api-python-client`, `google-auth-httplib2`, and `google-auth-oauthlib`. This can lead to non-deterministic builds and potential compatibility issues or, in a worst-case scenario, introduce vulnerabilities if a future version of a dependency contains a security flaw that is automatically pulled in. Pin exact versions for all Python dependencies (e.g., `package==1.2.3`) or use version ranges with upper bounds (e.g., `package>=1.2.0,<1.3.0`) to ensure deterministic and secure installations. | LLM | SKILL.md:20 |
Scan History
Embed Code
[](https://skillshield.io/report/8bb98bd5763ffd8c)
Powered by SkillShield