Install untrusted source
Warn
- Finding
- Install source points to URL shortener or raw IP.
- Skill content
"placeholder": "http://127.0.0.1:3000/oauth2callback",
OpenClaw Google Workspace
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a legitimate Google Workspace integration, but it grants broad Google account authority and some write-capable actions are not clearly protected by confirmation or least-privilege scopes.
Install only if you are comfortable granting this plugin access to the selected Google Workspace services. Start with Gmail, Drive, and Sheets in read-only mode, enable write access only for specific needs, verify the OAuth scopes before consenting, and protect the credentials and token files under `~/.openclaw/secrets`.
Static analysis
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If write mode is enabled, an agent could send email or change Workspace data through these tools without the same documented confirmation guard used for calendar changes.
Why it was flagged
The plugin exposes tools that can send messages or mutate Google Workspace data. Calendar tools document a `confirmed` parameter and preview flow, but these other write actions are only described as blocked by read-only mode, not as requiring explicit confirmation.
Skill content
`google_gmail_send` — Send an email. **Blocked in read-only mode.** ... `google_sheets_write` — Write data to a spreadsheet. **Blocked in read-only mode.** ... `google_tasks_complete` — Mark a task as completed.
Recommendation
Use read-only mode by default where possible, enable write services only when needed, and add explicit confirmation requirements for email sending, Sheets writes, Drive file creation, and Task changes.
What this means
Authorizing the default Gmail configuration may grant the plugin the ability to modify mailbox state beyond the user-visible Gmail tool list.
Why it was flagged
Gmail is documented as enabled by default with read-only disabled, and the read-write scope includes `gmail.modify` even though the documented Gmail tools are search, read, list, and send. That appears broader than necessary for sending email.
Skill content
| Gmail | `gmail.readonly` | `gmail.modify` + `gmail.send` | ... | `gmail` | true | false |
Recommendation
Default Gmail to read-only, request `gmail.send` separately only when sending is needed, and avoid `gmail.modify` unless mailbox modification tools are explicitly documented and user-approved.
What this means
Anyone or anything that can read the token file may be able to access the authorized Google services.
Why it was flagged
The plugin persistently stores and refreshes OAuth tokens for Google Workspace services. This is expected for the stated purpose and is disclosed, but it is sensitive delegated account access.
Skill content
**Token management:** - Tokens stored securely with `chmod 600` permissions - Auto-refresh when access token expires - Incremental scope addition when enabling new services (`include_granted_scopes: true`)
Recommendation
Store credentials and tokens only under a protected secrets directory, keep file permissions restrictive, and revoke the OAuth grant if the machine or token file may be compromised.
What this means
Package metadata inconsistencies can make it harder to know exactly what code or dependencies will be installed in some workflows.
Why it was flagged
The lockfile version and dependency list do not match `package.json`, which shows version `0.2.1` and only `googleapis` as a runtime dependency. This looks like stale or inconsistent package metadata rather than confirmed malicious behavior.
Skill content
"version": "0.1.1" ... "dependencies": { "googleapis": "^171.4.0", "user": "^0.0.0" }Recommendation
Regenerate and publish a consistent lockfile or remove it from the package if it is not used, and ensure runtime dependencies match `package.json`.