gkeep-notes Security Report — Low Risk | ClawSafe

22 /100

gkeep-notes

Google Keep notes management via gkeepapi. List, search, create, manage notes, add items to notes.

Legitimate Google Keep CLI tool with proper credential handling and no malicious behavior, though documentation gaps around filesystem write access and supply chain concerns exist.

Skill Namegkeep-notes

Duration48.6s

Enginepi

✓

Safe to install

Accept for use. Consider pinning `google` package to explicit version to eliminate typosquatting risk.

Findings 3 items

Severity	Finding	Location
Medium	Unpinned 'google' package with typosquatting potential Supply Chain requirements.txt specifies 'google' without version constraint. This is a top-level package that could be typosquatted (e.g., 'gooogle', 'goggle'). The skill also does not list gpsoauth which is imported by generate_token.py. `google` → Pin the 'google' package to a specific version or replace with explicit sub-packages: google-auth-oauthlib, google-api-python-client	`requirements.txt:3`
Low	Filesystem write access not declared in SKILL.md Doc Mismatch SKILL.md does not explicitly declare that the skill writes to ~/.config/gkeep/token.json. While this is the expected credential storage mechanism, it should be documented in the declared capabilities. `SKILL.md declares only bins: [python3] but does not mention filesystem WRITE for token storage` → Add 'filesystem: WRITE' to declared capabilities or clarify that token.json is user-managed, not skill-managed	`SKILL.md:1`
Low	Token file stored at user home directory Sensitive Access Credentials (Google email + master token) are stored in ~/.config/gkeep/token.json with 0o600 permissions. This is appropriate, but ~/.config is in the user home tree which is a sensitive area. `TOKEN_FILE = Path.home() / '.config' / 'gkeep' / 'token.json'` → No action needed - file permissions are correctly set to 0o600 to prevent other users from reading the token	`gkeep.py:56`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✗ Violation	gkeep.py:56-62 writes ~/.config/gkeep/token.json; generate_token.py writes nothi…
Network	`READ`	`READ`	✓ Aligned	gkeep.py uses gkeepapi to communicate with Google Keep servers
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md: Execution template shows 'source venv/bin/activate && python gkeep.py'
Environment	`NONE`	`READ`	✓ Aligned	gkeep.py:39 reads GKEEP_PASSWORD from environment for optional login
Skill Invoke	`NONE`	`NONE`	—	No skill invocation found
Clipboard	`NONE`	`NONE`	—	No clipboard access found
Browser	`NONE`	`NONE`	—	No browser automation found
Database	`NONE`	`NONE`	—	No database access found

2 findings

🔗

Medium External URL 外部 URL

https://accounts.google.com/EmbeddedSetup

README.md:30

🔗

Medium External URL 外部 URL

https://myaccount.google.com/apppasswords

gkeep.py:50

File Tree

5 files · 13.2 KB · 465 lines

Python 2f · 326L Markdown 2f · 135L Text 1f · 4L

├─ 🔑 generate_token.py ⚠ Python 28L · 854 B

├─ 🐍 gkeep.py Python 298L · 7.9 KB

├─ 📝 README.md Markdown 57L · 2.0 KB

├─ 📄 requirements.txt Text 4L · 72 B

└─ 📝 SKILL.md Markdown 78L · 2.3 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`gkeepapi`	`>=0.14.0`	pip	No	Version lower bound specified, acceptable
`google`	`*`	pip	No	No version constraint - supply chain risk
`google-auth-oauthlib`	`*`	pip	No	No version constraint
`google-api-python-client`	`*`	pip	No	No version constraint
`gpsoauth`	`not listed`	pip	No	Imported in generate_token.py but missing from requirements.txt

Security Positives

✓ Token file is correctly secured with chmod 0o600 (readable only by owner)

✓ OAuth 2.0 flow is documented with legitimate Google endpoints (accounts.google.com)

✓ No exfiltration of credentials to third parties

✓ Uses official gkeepapi library (maintained, legitimate)

✓ No base64 encoding, obfuscation, or suspicious execution patterns

✓ Shell commands are declared in execution template

Scan Report

Findings 3 items

File Tree

Dependencies 5 items

Security Positives