Scan Report
5 /100
civic-google
Use gog (Google CLI) without manual OAuth setup — Civic handles token management automatically
SKILL.md documents a legitimate OAuth proxy plugin for Google Workspace CLI access with transparent disclosure of network communication and credential handling.
Safe to install
No immediate concerns. When deploying, verify the npm package @civic/openclaw-google integrity via its GitHub source and ensure CIVIC_TOKEN is stored securely.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Network | READ | READ | ✓ Aligned | SKILL.md documents HTTPS requests to app.civic.com for scope resolution |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md: 'gog' CLI execution is core functionality |
| Environment | READ | READ | ✓ Aligned | SKILL.md: Reads CIVIC_TOKEN, OPENCLAW_PROXY_URL; sets GOG_ACCESS_TOKEN |
| Filesystem | NONE | NONE | — | No file operations documented |
File Tree
1 files · 5.3 KB · 115 lines Markdown 1f · 115L
└─
SKILL.md
Markdown
Security Positives
✓ Open source plugin with verifiable source at github.com/civicteam/openclaw-google
✓ Network communication fully disclosed with specific endpoint (app.civic.com)
✓ OAuth tokens stored encrypted (AES-256) on server-side
✓ Scope-based access control limits permissions to minimum required
✓ CIVIC_TOKEN is user's own API key, not harvested credentials
✓ Command arguments are explicitly NOT logged or stored by the proxy
✓ HTTPS enforced for all external communication
✓ No base64 encoding, reverse shells, or obfuscated code in documentation