google-drive

The package appears to be a legitimate Google Drive management tool with extensive capabilities. The primary security concerns are architectural and operational: a shared plaintext OAuth token (~/.claude/.google/token.json) used across multiple skills with aggregated high-privilege scopes increases the blast radius and enables lateral misuse by any component that can read that file. The tool exposes high-impact operations (public sharing, ownership transfer, permanent deletion) without documented safeguards or recommended confirmations. No clear signs of deliberate malware or obfuscation were identified in the provided content, but the credential handling and permissive examples constitute a moderate supply-chain/security risk. Recommended mitigations: use per-skill credentials or per-skill tokens with least privilege scopes, protect token storage (restrict file permissions or use OS credential stores), add explicit confirmation prompts for destructive/public actions, and document token rotation and audit logging.