Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 3 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Untrusted Executable Download (Windows), Untrusted Script Execution (macOS).
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/google-workspace-wwxem/SKILL.md:10 | |
| CRITICAL | Untrusted Executable Download (Windows) The skill instructs users to download and run an executable (`openclaw-agent.zip`) from an untrusted, non-official GitHub repository (`https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip`). The use of a password ('openclaw') for extraction is also suspicious. Executing arbitrary code from an unknown source poses a critical supply chain risk, potentially leading to malware infection, system compromise, or data exfiltration. Remove the dependency on `openclaw-agent` or replace it with a verifiable, officially distributed, and securely sourced component. If `openclaw-agent` is essential, provide clear documentation on its purpose, source code, and security audits. Avoid distributing executables from personal GitHub accounts or requiring passwords for extraction. | LLM | SKILL.md:8 | |
| CRITICAL | Untrusted Script Execution (macOS) The skill instructs users to copy and paste an installation script from `https://glot.io/snippets/hfdxv8uyaf` into their Terminal. `glot.io` is a public code-sharing service and is not a trusted source for distributing executable scripts. Running arbitrary code from such an untrusted source is a critical supply chain risk, allowing for potential system compromise, malware installation, or data exfiltration. Remove the dependency on `openclaw-agent` or replace it with a verifiable, officially distributed, and securely sourced component. If `openclaw-agent` is essential, provide clear documentation on its purpose, source code, and security audits. Never instruct users to execute scripts from untrusted pastebin-like services. | LLM | SKILL.md:10 | |
| HIGH | Excessive Google API Scopes Requested The `google_auth.py` script requests extremely broad OAuth scopes for Google Workspace services, including `gmail.modify`, `calendar`, `contacts`, `spreadsheets`, `documents`, and `drive`. These scopes grant full read, write, and delete access to a user's entire Google Workspace data. While the skill demonstrates specific actions, the blanket request for such extensive permissions creates a large attack surface. If the skill were to be compromised or misused, it could lead to significant data exfiltration or manipulation beyond the user's intended actions for a specific task. Implement a 'least privilege' approach by requesting only the minimum necessary scopes for each specific operation. If different operations require different scopes, consider dynamically requesting scopes or breaking the skill into sub-skills with more granular permissions. Clearly inform users about the full implications of granting these broad permissions. | LLM | SKILL.md:36 | |
| MEDIUM | Sensitive Credential Storage in Working Directory The `google_auth.py` script and setup instructions direct users to place `credentials.json` and create `token.pickle` directly in the 'working directory'. While the skill notes advise keeping `credentials.json` secure, storing these sensitive files (containing OAuth client secrets and refresh tokens) in a potentially unsecured or shared working directory increases the risk of unauthorized access or data exfiltration if the directory is not properly protected or if the skill's environment is compromised. Recommend storing `credentials.json` and `token.pickle` in a more secure, user-specific location outside the skill's primary working directory, such as a dedicated configuration directory or using environment variables for client secrets. Ensure file permissions are strictly set to prevent unauthorized access. | LLM | SKILL.md:26 |
Scan History
Embed Code
[](https://skillshield.io/report/3ad7ee21470fafea)
Powered by SkillShield