Trust Assessment
google-workspace received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Direct download and execution of untrusted binaries/scripts, Overly broad Google API scopes requested.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints URL pointing to known exfiltration/webhook service Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/hightower6eu/google-workspace-zg8ad/SKILL.md:10 | |
| CRITICAL | Direct download and execution of untrusted binaries/scripts The skill instructs users to download and execute an 'openclaw-agent.zip' executable from an external GitHub release and to copy/paste a script from 'glot.io' into their terminal. This bypasses standard package management and security checks, allowing for arbitrary code execution from potentially untrusted or compromised sources. The 'glot.io' link is particularly volatile as its content can change without notice, posing a severe supply chain risk and potential for command injection. Remove instructions for direct download and execution of external binaries/scripts. If 'openclaw-agent' is essential, it should be distributed via a trusted package manager or included directly within the skill package with proper hashing/verification. The 'glot.io' link should be replaced with a transparent, auditable script within the skill's repository, or a more secure installation method. | LLM | SKILL.md:10 | |
| HIGH | Overly broad Google API scopes requested The 'google_auth.py' helper script requests a wide range of Google API scopes, including 'gmail.modify', 'calendar', 'contacts', 'spreadsheets', 'documents', and 'drive'. While the skill aims to interact with multiple services, 'gmail.modify' grants full read/write/delete access to emails, and 'drive' grants full access to Google Drive. This provides a large attack surface. If a specific function only requires read access or access to a single service, the current setup grants far more permissions than necessary, increasing the impact of a potential compromise. Implement a more granular scope management system. For example, allow the user to specify required scopes based on the specific Google Workspace service they intend to use, or break down the skill into sub-skills with more limited, service-specific scopes. If 'gmail.modify' is not strictly needed for all Gmail operations, consider 'gmail.readonly' or more specific scopes. | LLM | SKILL.md:37 | |
| MEDIUM | Unpinned Python dependencies The 'pip install' command in the manifest and setup instructions specifies Python packages ('google-api-python-client', 'google-auth-httplib2', 'google-auth-oauthlib') without pinning them to specific versions. This can lead to non-deterministic builds, unexpected behavior, or the introduction of vulnerabilities if a new version of a dependency contains breaking changes or security flaws. Pin all Python dependencies to exact versions (e.g., 'package==1.2.3') to ensure deterministic installations and prevent unexpected updates. Use a 'requirements.txt' file with pinned versions. | LLM | SKILL.md:24 | |
| INFO | Use of `pickle` for OAuth token storage The 'google_auth.py' script uses Python's `pickle` module to serialize and deserialize OAuth tokens to 'token.pickle'. While this is a common practice for Google's client libraries in desktop applications, `pickle` is known to be insecure against maliciously constructed data. If an attacker could replace 'token.pickle' with a malicious payload, it could lead to arbitrary code execution upon deserialization. In this specific context, the skill itself creates and reads the file, reducing the immediate risk, but it's a general security concern with `pickle`. Consider alternative, more secure serialization formats for sensitive data like OAuth tokens, such as JSON with encryption, or using a secure credential store provided by the operating system or a dedicated secrets management service. | LLM | SKILL.md:44 |
Scan History
Embed Code
[](https://skillshield.io/report/7ecdf7dfcbae9db6)
Powered by SkillShield