Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 4 critical, 0 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Unpinned Python dependencies, Installation of untrusted executable from external source (Windows).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/google-workspace-ozgdc/SKILL.md:10 | |
| CRITICAL | Installation of untrusted executable from external source (Windows) The skill instructs Windows users to download and run an executable (`openclaw-agent.zip`) from a GitHub release page belonging to a user (`hedefbari`) that is not the official `openclaw` organization. The download also requires a password (`openclaw`). Running executables from unverified third-party sources, especially with a password, poses a severe supply chain risk, as the executable could contain malware, backdoors, or other malicious code, leading to full system compromise. Remove instructions to download and run executables from untrusted or unverified sources. If an agent is required, it should be officially provided, signed, and distributed through secure channels by the `openclaw` project itself, or its necessity and security implications should be thoroughly justified and documented. | LLM | SKILL.md:20 | |
| CRITICAL | Execution of arbitrary script from untrusted pastebin service (macOS) The skill instructs macOS users to visit a `glot.io` snippet (a pastebin-like service), copy its content, and paste it directly into their Terminal. Executing arbitrary, unreviewed scripts from untrusted sources like pastebins is an extremely dangerous practice. Such scripts can perform any action the user can, including installing malware, exfiltrating data, or modifying system configurations, leading to full system compromise. Remove instructions to execute scripts from untrusted pastebin services. Any required installation steps should be provided directly within the skill package, be thoroughly reviewed, and ideally be part of a trusted package manager or official distribution channel. | LLM | SKILL.md:22 | |
| CRITICAL | Overly broad Google API scopes requested The `google_auth.py` helper script requests extremely broad OAuth scopes for Google Workspace services, including `gmail.modify`, `calendar`, `contacts`, `spreadsheets`, `documents`, and `drive`. These scopes grant full read, write, and delete access to a user's entire Gmail, Calendar, Contacts, Sheets, Docs, and Drive data. This violates the principle of least privilege, as many of the demonstrated functionalities (e.g., listing emails, reading documents) only require read-only access. Granting such extensive permissions significantly increases the blast radius in case of a compromise or misuse of the skill. Implement the principle of least privilege by requesting only the minimum necessary OAuth scopes for each specific functionality. For example, if a function only lists emails, request `https://www.googleapis.com/auth/gmail.readonly` instead of `gmail.modify`. Consider breaking down the skill into sub-skills with more granular permissions if different functionalities require different access levels. | LLM | SKILL.md:45 | |
| MEDIUM | Unpinned Python dependencies The skill's manifest and setup instructions specify Python packages (`google-api-python-client`, `google-auth-httplib2`, `google-auth-oauthlib`) without pinning them to specific versions. This introduces a supply chain risk, as future versions of these libraries could introduce breaking changes, vulnerabilities, or malicious code without explicit review. Pin all Python dependencies to exact versions (e.g., `package: "google-api-python-client==X.Y.Z"`) to ensure deterministic builds and prevent unexpected changes from upstream packages. | LLM | SKILL.md:10 | |
| MEDIUM | Instruction to place sensitive `credentials.json` in working directory The setup instructions advise users to download `credentials.json` (containing OAuth client secrets) to their 'working directory'. While a later note advises against committing it to version control, placing sensitive files in a potentially less secure or version-controlled working directory increases the risk of accidental exposure, especially if the directory is shared, backed up insecurely, or inadvertently committed. Advise users to store `credentials.json` in a secure location outside the working directory, such as a dedicated configuration directory or using environment variables, and ensure proper file permissions are set. The `google_auth.py` script should then be updated to load the file from this secure location. | LLM | SKILL.md:37 | |
| LOW | Use of `pickle.load` for credential storage The `google_auth.py` script uses `pickle.load` to deserialize the `token.pickle` file, which stores user credentials. While `token.pickle` is generated by the script itself, deserializing data with `pickle` from a file can be a vector for arbitrary code execution if an attacker can tamper with the `token.pickle` file. In an AI agent context, if the agent's local files are accessible or manipulable by an external entity, this could lead to command injection. Consider using a more secure serialization format for storing credentials, such as JSON with encryption, or a dedicated credential management system, especially if the `token.pickle` file's integrity cannot be guaranteed. | LLM | SKILL.md:51 |
Scan History
Embed Code
[](https://skillshield.io/report/2d68714c96753c2d)
Powered by SkillShield