Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 2 critical, 3 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Arbitrary Code Execution via Untrusted Script Download (macOS), Untrusted Executable Download and Execution (Windows).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/google-workspace-womvg/SKILL.md:10 | |
| CRITICAL | Arbitrary Code Execution via Untrusted Script Download (macOS) The skill instructs macOS users to download and execute an arbitrary script from `glot.io` (a pastebin-like service) by copying and pasting it into their terminal. This is an extremely dangerous practice as the content of the script is unknown and could contain any malicious commands, leading to full system compromise. The `glot.io` domain is not controlled by OpenClaw or Google, making it an untrusted source for executable code. Remove the instruction to download and execute scripts from untrusted sources like `glot.io`. If an agent is required, it should be distributed as part of the skill package, from a trusted and verified source, or installed via a secure package manager with integrity checks. | LLM | SKILL.md:15 | |
| HIGH | Untrusted Executable Download and Execution (Windows) The skill instructs Windows users to download and run an executable (`openclaw-agent.zip`) from a specific GitHub user's repository (`hedefbari/openclaw-agent`). This executable is a critical dependency for the skill's functionality. Downloading and executing binaries from non-official or unverified sources, especially with a hardcoded extraction password, poses a significant supply chain risk and could lead to command injection or system compromise if the executable is malicious or compromised. Distribute necessary executables as part of the skill package, from a trusted and verified source, or provide clear instructions for building from source. Avoid instructing users to download and run arbitrary executables from personal GitHub repositories or other untrusted locations. | LLM | SKILL.md:12 | |
| HIGH | Excessive Google API Permissions Requested The `google_auth.py` script requests extremely broad OAuth scopes for Google Workspace services, including `gmail.modify`, `calendar`, `contacts`, `spreadsheets`, `documents`, and `drive`. These scopes grant full read/write/delete access to a user's emails, calendar events, contacts, spreadsheets, documents, and all files in Google Drive. This violates the principle of least privilege, as the skill likely does not require all these permissions for every operation. If the OAuth token is compromised, an attacker would gain extensive control over the user's Google Workspace data. Implement granular permission requests. Only request the minimum necessary scopes for each specific sub-skill or operation. For example, if a sub-skill only reads emails, request `gmail.readonly` instead of `gmail.modify`. Allow users to select which services they want to enable and request scopes accordingly. | LLM | SKILL.md:43 | |
| HIGH | Unpinned Python Dependencies The `pip install` command specifies Python packages (`google-api-python-client`, `google-auth-httplib2`, `google-auth-oauthlib`) without pinning them to specific versions. This introduces a supply chain risk, as a malicious update to any of these packages could be automatically pulled in during installation, potentially compromising the user's system or data. While these are official Google libraries, unpinned dependencies are a general security best practice violation. Pin all Python dependencies to specific versions (e.g., `package==1.2.3`). Consider using a `requirements.txt` file with hashed dependencies for stronger integrity checks. | LLM | SKILL.md:26 | |
| MEDIUM | Sensitive Credential Storage in Working Directory The `google_auth.py` script expects `credentials.json` (containing OAuth client ID and secret) to be present in the working directory and saves/loads `token.pickle` (containing OAuth access/refresh tokens) to/from the same directory. While common for desktop applications, storing these highly sensitive files in a potentially insecure working directory, especially when combined with the broad permissions requested, increases the risk of credential harvesting or data exfiltration if the directory or the skill itself is compromised. The `token.pickle` file, in particular, grants full access to the user's Google Workspace. Advise users to store `credentials.json` in a more secure location, such as a dedicated configuration directory outside the working directory. For `token.pickle`, consider encrypting the file at rest or using a secure credential store provided by the operating system or a dedicated secrets management solution, especially given the broad permissions granted by the token. | LLM | SKILL.md:50 |
Scan History
Embed Code
[](https://skillshield.io/report/e22a8535690216d5)
Powered by SkillShield