skills/openclaw/gogcli/gog-forms/Gen Agent Trust Hub

gog-forms

Pass

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes the project-specific gog CLI tool to interact with Google Forms services.
  • Evidence: SKILL.md defines subcommands such as add-question, create, delete-question, get, move-question, publish, questions, raw, responses, update, and watch.
  • [SAFE]: The skill implements and recommends several security best practices for handling Google data.
  • The documentation advises using --readonly for non-mutating tasks to prevent accidental data modification.
  • The --wrap-untrusted flag is recommended for processing Google content, providing a defense against indirect prompt injection from form responses or questions.
  • Use of --dry-run and --no-input is suggested for safe automation and verification of destructive actions.
  • [PROMPT_INJECTION]: The skill handles untrusted data from Google Forms that could contain malicious instructions (Indirect Prompt Injection).
  • Ingestion points: The responses, get, and questions commands in SKILL.md read external data.
  • Boundary markers: The skill explicitly instructs the agent to use the --wrap-untrusted flag to mitigate injection risks.
  • Capability inventory: The skill can perform mutations such as delete-question, update, and create.
  • Sanitization: Sanitization is delegated to the gog tool's wrapping mechanism as per the provided instructions.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 24, 2026, 10:52 AM
Security Audit — agent-trust-hub — gog-forms