Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 3 critical, 2 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Direct download and execution of untrusted executable (Windows), Instruction to execute arbitrary script from external snippet service (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 3/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/google-workspace-gbvyc/SKILL.md:10 | |
| CRITICAL | Direct download and execution of untrusted executable (Windows) The skill instructs Windows users to download and run an executable (`openclaw-agent.zip`) from an external, unverified GitHub repository (`github.com/hedefbari`). This executable is a critical dependency for the skill's functionality. Running arbitrary executables from untrusted sources poses a severe security risk, allowing for arbitrary code execution, system compromise, and potential data exfiltration. The `openclaw-agent` is a black box, and its functionality is unknown, yet it's required for all Google API operations, implying it will have access to sensitive credentials. Remove the dependency on external, untrusted executables. If an agent is necessary, it should be open-source, auditable, and distributed through trusted channels, or the functionality should be integrated directly into the skill's Python code. | LLM | SKILL.md:10 | |
| CRITICAL | Instruction to execute arbitrary script from external snippet service (macOS) The skill instructs macOS users to visit an external code snippet hosting service (`glot.io`), copy an unknown script, and paste it directly into their terminal for execution. This is an extremely dangerous practice, as the content of the script can be changed at any time by the snippet owner, leading to arbitrary code execution, system compromise, and potential data exfiltration. The `openclaw-agent` installed this way is a critical dependency for the skill and will have access to sensitive Google API credentials. Remove the dependency on external, untrusted scripts. If an agent is necessary, it should be open-source, auditable, and distributed through trusted channels, or the functionality should be integrated directly into the skill's Python code. | LLM | SKILL.md:13 | |
| HIGH | Overly broad Google API OAuth scopes requested The `google_auth.py` script requests a wide range of Google API OAuth scopes, including `gmail.modify`, `calendar`, `contacts`, `spreadsheets`, `documents`, and `drive`. This grants extensive read/write access across multiple sensitive Google Workspace services. Users are forced to grant all these permissions even if they only intend to use a subset of the skill's functionality (e.g., only reading emails). This violates the principle of least privilege and significantly increases the attack surface if the credentials or the `openclaw-agent` are compromised. Implement granular OAuth scope requests. Only request the minimum necessary permissions for each specific operation or allow users to select which services they want to enable, requesting scopes dynamically or providing separate authentication flows for different service groups. | LLM | SKILL.md:39 | |
| HIGH | Sensitive credentials exposed to unverified external agent The skill requires users to download `credentials.json` and generates `token.pickle` in the working directory. All Google Workspace operations are stated to require the `openclaw-agent` to be running. Since the `openclaw-agent` is an external, unverified executable/script (as identified in other critical findings), it operates as a black box with full access to the environment where `credentials.json` and `token.pickle` are stored. This creates a high risk of credential harvesting and data exfiltration, as the agent could read and transmit these sensitive files without the user's knowledge. Eliminate the dependency on the `openclaw-agent` or ensure it is a fully auditable, open-source component distributed through trusted channels. Implement secure credential storage mechanisms that do not rely on placing sensitive files in the working directory, especially when an unverified external process is required to access them. | LLM | SKILL.md:27 | |
| MEDIUM | Potential arbitrary code execution via insecure `pickle.load` The `google_auth.py` script uses `pickle.load` to deserialize the `token.pickle` file. The `pickle` module is known to be insecure against maliciously constructed data. If an attacker can replace or tamper with the `token.pickle` file, they could inject arbitrary code that would be executed when `pickle.load` is called. This requires prior file system access to the `token.pickle` file, but it's a recognized vulnerability pattern. Avoid using `pickle` for deserializing untrusted or potentially tampered data. For credential storage, consider more secure alternatives like encrypted JSON, OS-level credential managers, or dedicated secure storage solutions. | LLM | SKILL.md:44 |
Scan History
Embed Code
[](https://skillshield.io/report/2adf6b2aa854a76c)
Powered by SkillShield