Scan Report
5 /100
google-drive-service-account
Access Google Drive from OpenClaw using either service-account JSON or OAuth refresh token for search, listing, download, export, upload, and folder creation
This is a legitimate Google Drive helper using OAuth/service-account auth, with no malicious behavior detected.
Safe to install
No action required. This is a safe, well-implemented skill for Google Drive file operations.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | SKILL.md: upload, mkdir, --out for download/export |
| Network | READ | READ | ✓ Aligned | SKILL.md: all Drive API operations; gdrive_sa.py: DRIVE_API_BASE |
| Shell | WRITE | WRITE | ✓ Aligned | skill metadata bins: [openssl]; gdrive_sa.py:143 subprocess openssl for RS256 si… |
| Environment | READ | READ | ✓ Aligned | SKILL.md: GOOGLE_OAUTH_REFRESH_TOKEN, GOOGLE_SERVICE_ACCOUNT_KEY, GOOGLE_CLIENT_… |
| Skill Invoke | NONE | NONE | — | No skill_invoke usage |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No database access |
1 findings
Info Email 邮箱地址
[email protected] SKILL.md:57 File Tree
2 files · 18.4 KB · 535 lines Python 1f · 392L
Markdown 1f · 143L
├─
▾
scripts
│ └─
gdrive_sa.py
Python
└─
SKILL.md
Markdown
Security Positives
✓ All file writes are scoped to user-specified --out paths with parent directory creation
✓ Temp files for private key signing use 0o600 permissions (owner-only read/write)
✓ All network requests target Google's official APIs (apis.google.com, oauth2.googleapis.com)
✓ Service account JSON is validated for required fields before use
✓ No credential exfiltration - tokens stay local and are used only for API calls
✓ No base64 obfuscation, no curl|bash patterns, no sensitive path traversal
✓ Skill metadata explicitly declares openssl and python3 as required binaries
✓ Multipart upload is handled entirely in-memory without temp files on disk
✓ JWT signing subprocess is scoped to a single, well-defined cryptographic operation