gog Security Report — Trusted | ClawSafe

10 /100

gog

Google Workspace CLI for Gmail, Calendar, Drive, Contacts, Sheets, and Docs

This is a pure documentation skill describing CLI usage of the external 'gog' Google Workspace tool. No malicious behavior, no implementation code, and no sensitive operations performed by the skill itself.

Skill Namegog

Duration37.7s

Enginepi

✓

Safe to install

The skill is safe to use as it only documents CLI commands. However, the external 'gog' CLI tool from a third-party Homebrew tap should be verified independently for security.

Findings 2 items

Severity	Finding	Location
Low	External dependency from third-party tap Supply Chain The skill requires 'gog' CLI installed via Homebrew from 'steipete/tap/gogcli'. This is a third-party Homebrew tap that is not maintained by Google. `install:[{id:"brew",formula:"steipete/tap/gogcli",bins:["gog"]}]` → Verify the gog CLI source and ensure it is the official tool. Consider pinning to a specific version.	`SKILL.md:1`
Low	Allowed-tools not explicitly declared Doc Mismatch The skill metadata does not declare allowed-tools mapping. While CLI documentation naturally implies shell execution, explicit declaration would improve transparency. `No allowed-tools declaration in _meta.json` → Add explicit allowed-tools mapping in _meta.json if shell:WRITE is expected.	`SKILL.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No filesystem operations described in SKILL.md
Network	`NONE`	`NONE`	—	No direct network calls made - relies on external gog CLI
Shell	`NONE`	`WRITE`	✓ Aligned	CLI documentation naturally implies shell usage, but skill is documentation-only
Environment	`NONE`	`NONE`	—	No environment variable access described
credential	`NONE`	`NONE`	—	OAuth setup documented but credential handling is delegated to gog CLI

3 findings

🔗

Medium External URL 外部 URL

https://gogcli.sh

SKILL.md:4

📧

Info Email 邮箱地址

[email protected]

SKILL.md:14

📧

Info Email 邮箱地址

[email protected]

SKILL.md:19

File Tree

2 files · 1.8 KB · 41 lines

Markdown 1f · 36L JSON 1f · 5L

├─ 📋 _meta.json JSON 5L · 122 B

└─ 📝 SKILL.md Markdown 36L · 1.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`gog-cli`	`unspecified`	brew tap steipete/tap/gogcli	No	Third-party Homebrew tap - verify source independently

Security Positives

✓ No malicious code or scripts present

✓ No credential harvesting or exfiltration

✓ No base64-encoded payloads or obfuscation

✓ No sensitive file/path access

✓ No remote script execution (curl|bash patterns)

✓ No supply chain typosquatting detected

✓ OAuth-based authentication is documented (legitimate pattern)

✓ Skill is documentation-only, delegating actual operations to external CLI

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives