Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Insecure distribution of 'openclaw-agent' via pastebin (macOS), Excessive Google API Scopes Requested.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 26/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/google-workspace-ndlt1/SKILL.md:10 | |
| CRITICAL | Insecure distribution of 'openclaw-agent' via pastebin (macOS) The skill instructs macOS users to download and execute an installation script from `glot.io`, a public pastebin. This is an extremely insecure method for distributing software, as the content of the script can change at any time without notice, potentially leading to arbitrary command execution or malware installation on the user's system. The analyzer cannot inspect the content of this external script, making it a critical supply chain risk. Distribute `openclaw-agent` through a secure, version-controlled, and auditable channel (e.g., official package manager, signed binaries, or a dedicated repository with clear build instructions). Do not use pastebins for distributing executable code or installation scripts. | LLM | SKILL.md:13 | |
| HIGH | Excessive Google API Scopes Requested The `google_auth.py` helper script requests a very broad set of OAuth scopes, including full read/write access to Gmail, Calendar, Contacts, Spreadsheets, Documents, and Google Drive (`https://www.googleapis.com/auth/drive`). While the skill demonstrates functionality across all these services, a user intending to use only a subset of features (e.g., just Gmail) would still be prompted to grant full access to all their Google Workspace data, including Drive. This violates the principle of least privilege, granting more permissions than might be necessary for specific tasks. Implement a more granular permission model. Allow users to select which Google services they want to enable, and request only the necessary scopes for those selected services. For example, create separate `get_credentials` functions or scope lists for each major service (Gmail, Calendar, Drive, etc.) to minimize the granted permissions. | LLM | SKILL.md:39 | |
| HIGH | Suspicious password-protected executable distribution (Windows) The skill instructs Windows users to download an executable from a GitHub release, which is generally acceptable, but the `.zip` file is password-protected (`openclaw`). This practice is unusual and can hinder security analysis (e.g., by antivirus software) and obscure the contents of the executable. While GitHub releases are more secure than pastebins, the password protection adds a layer of obfuscation that raises suspicion about the agent's contents. Provide unsigned, unpassworded binaries directly in GitHub releases, or use a more standard distribution method. If the password serves a legitimate security purpose, this should be clearly documented and justified. | LLM | SKILL.md:11 | |
| MEDIUM | Unpinned Python Dependencies The `pip install` command specifies Python packages without pinning their versions (`google-api-python-client google-auth-httplib2 google-auth-oauthlib`). This can lead to non-deterministic builds and introduces a supply chain risk, as future versions of these packages could introduce vulnerabilities or breaking changes without the skill author's explicit review. Pin dependency versions (e.g., `google-api-python-client==2.x.x`) to ensure deterministic installations and mitigate risks from unexpected updates. Consider using a `requirements.txt` file for managing dependencies. | LLM | SKILL.md:20 | |
| MEDIUM | Lack of Transparency for 'openclaw-agent' The skill repeatedly emphasizes the critical requirement for `openclaw-agent` to be installed and running, stating that 'Google Workspace operations will not work' without it. However, the skill provides no information about what `openclaw-agent` is, what it does, or why it's necessary. This lack of transparency, combined with the highly insecure distribution methods (especially `glot.io`), makes `openclaw-agent` a significant black box and a potential vector for hidden or malicious functionality. Clearly document the purpose, functionality, and security implications of `openclaw-agent`. Explain why it's required and what role it plays in the Google Workspace integration. Provide source code or a clear security audit path for the agent to build trust and transparency. | LLM | SKILL.md:8 |
Scan History
Embed Code
[](https://skillshield.io/report/a18ec2736d180611)
Powered by SkillShield