googledocs-automation

The toolkit's capabilities align with legitimate Google Docs automation use-cases, but the documented design delegates OAuth and API calls to a third-party managed checkpoint (Rube/Composio). This creates a supply-chain and privacy risk: OAuth tokens and document contents transit the MCP and could be persisted or misused if the MCP is untrusted or compromised. There is no explicit evidence of malware or obfuscation in the provided manifest, but the absence of transparency about token handling, endpoint verification, and retention policies warrants caution. Recommended actions: (1) Do not use or grant access via the MCP until you can verify the operator's trustworthiness, inspect MCP source or audit reports, and confirm minimal OAuth scopes; (2) Prefer direct Google API integration where feasible; (3) If using the MCP, limit scopes, use ephemeral tokens and verify logging/retention policies; (4) Monitor document sharing and audit activity after initial connection.