Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 4 critical, 1 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Direct download and execution of untrusted executable, Execution of unverified script from pastebin service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/google-workspace-m2hcx/SKILL.md:10 | |
| CRITICAL | Direct download and execution of untrusted executable The skill instructs users to download an executable (`openclaw-agent.zip`) from an external GitHub repository (`https://github.com/hedefbari/openclaw-agent`) and run it. This executable is not part of the skill package and its contents are not auditable within the provided context. Running arbitrary executables from external sources poses a severe supply chain risk, as it could contain malware or perform malicious actions on the user's system. The password for extraction (`openclaw`) is also provided, which does not add security. Avoid instructing users to download and run arbitrary executables from external, unverified sources. If an agent is required, it should be distributed securely, ideally as part of the skill package or from a trusted, auditable source with clear security guarantees. Provide hashes for verification. | LLM | SKILL.md:9 | |
| CRITICAL | Execution of unverified script from pastebin service The skill instructs macOS users to visit a `glot.io` snippet (a pastebin-like service), copy its content, and paste it into their Terminal for execution. Running arbitrary scripts from unverified sources like pastebins is a critical supply chain risk, as the script's content can change at any time and could contain malicious commands that compromise the user's system. Never instruct users to execute scripts directly from pastebin-like services. If an installation script is necessary, it should be included directly within the skill package, signed, or hosted on a trusted, auditable platform. | LLM | SKILL.md:12 | |
| CRITICAL | Requesting full Google Drive access The `google_auth.py` helper script requests the `https://www.googleapis.com/auth/drive` scope. This scope grants full read, write, and delete access to *all* files and folders in the user's Google Drive. This is an extremely broad permission that violates the principle of least privilege, as the skill's demonstrated functionalities (list, upload, download specific files) could often be achieved with more limited scopes (e.g., `drive.file` for files created/opened by the app, or `drive.readonly` for listing). Granting such broad access significantly increases the risk of data exfiltration or accidental data loss if the skill or the user's credentials are compromised. Review and narrow down the requested Google API scopes to only those absolutely necessary for the skill's intended functionality. For Google Drive, consider using `https://www.googleapis.com/auth/drive.file` or `https://www.googleapis.com/auth/drive.appfolder` if applicable, or `https://www.googleapis.com/auth/drive.readonly` if only read access is needed. | LLM | SKILL.md:40 | |
| HIGH | Requesting broad Google Workspace API scopes The `google_auth.py` helper script requests several broad Google API scopes, including `gmail.modify`, `calendar`, `contacts`, `spreadsheets`, and `documents`. While these are necessary for the demonstrated functionalities, they grant extensive access (e.g., `gmail.modify` allows reading, composing, sending, and *permanently deleting* all email; `calendar` allows full access to all calendars). If the skill only needs to perform a subset of these actions (e.g., read emails but not delete them, or read calendar events but not create/delete them), these scopes are overly permissive and increase the attack surface. Implement the principle of least privilege by requesting the most restrictive scopes possible for each Google Workspace service. For example, use `gmail.readonly` if only reading emails is required, or `calendar.events.readonly` for read-only calendar access. Allow users to configure specific scopes if the skill supports varying levels of functionality. | LLM | SKILL.md:36 | |
| MEDIUM | Sensitive OAuth tokens stored in unencrypted local file The `google_auth.py` script stores OAuth access and refresh tokens in a local file named `token.pickle`. This file contains sensitive credentials that grant access to the user's Google Workspace services. If this file is compromised (e.g., by malware, unauthorized access to the local filesystem, or accidental exposure), an attacker could gain full access to the user's Google accounts as permitted by the requested scopes. The skill does not implement any encryption or access control for this file, relying solely on filesystem permissions. Advise users on securing `token.pickle` (e.g., restricting file permissions). For production environments or higher security needs, consider using a secure credential store (e.g., OS-level credential managers, encrypted vaults) instead of plain file storage. Ensure the file is excluded from version control. | LLM | SKILL.md:46 | |
| MEDIUM | Client secrets stored in local `credentials.json` file The skill requires users to download `credentials.json` (containing OAuth client ID and client secret) and place it in the working directory. While the skill advises against committing it to version control, its presence in the local filesystem makes it vulnerable to compromise if the system is breached or if the file is accidentally exposed. The client secret, if compromised, could be used to impersonate the application and request tokens. For desktop applications, client secrets are generally considered less critical than for web applications, as they are harder to keep truly secret. However, best practice still dictates minimizing their exposure. Advise users to secure this file with appropriate filesystem permissions. For more robust solutions, consider alternative authentication flows that don't require storing client secrets locally, or using environment variables for secrets. | LLM | SKILL.md:26 |
Scan History
Embed Code
[](https://skillshield.io/report/7d81868c87b7bbde)
Powered by SkillShield