fix(security): guard risky share and delegate flows (openclaw#317) (thanks @salmonumbrella)

Peter Steinberger · Peter Steinberger · commit 35c5563badf9 · 2026-03-07T23:25:43.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@
 - Timezone: embed the IANA timezone database so Windows builds can resolve calendar timezones correctly. (#388) — thanks @visionik.
 - Google API: use transport-level response-header timeouts for API clients while keeping token exchanges bounded, so large downloads are not cut short by `http.Client.Timeout`. (#425) — thanks @laihenyi.
 - Sheets: make `sheets metadata --plain` emit real TSV tab delimiters, with regression coverage for plain tabular sheet output. (#298) — thanks @mahsumaktas.
+- Security: require confirmation before public Drive shares, Gmail forwarding filters, and Gmail delegate grants in no-input/agent flows. (#317) — thanks @salmonumbrella.
 - Auth: keep Keep-only service-account fallback isolated to Keep commands so other Google services do not accidentally pick it up. (#414) — thanks @jgwesterlund.
 - Contacts: send the required `copyMask` when deleting "other contacts", avoiding People API 400 errors. (#384) — thanks @rbansal42.
 - Calendar: hide cancelled/deleted events from `calendar events` list output by explicitly setting `showDeleted=false`. (#362) — thanks @sharukh010.
diff --git a/internal/cmd/auth.go b/internal/cmd/auth.go
@@ -500,10 +500,10 @@ func formatRemoteStep2Instruction(services []googleauth.Service, c *AuthAddCmd)
 	if c.Readonly {
 		parts = append(parts, "--readonly")
 	}
-	if driveScope := strings.ToLower(strings.TrimSpace(c.DriveScope)); driveScope != "" && driveScope != "full" {
+	if driveScope := strings.ToLower(strings.TrimSpace(c.DriveScope)); driveScope != "" && driveScope != string(googleauth.DriveScopeFull) {
 		parts = append(parts, "--drive-scope", driveScope)
 	}
-	if gmailScope := strings.ToLower(strings.TrimSpace(c.GmailScope)); gmailScope != "" && gmailScope != "full" {
+	if gmailScope := strings.ToLower(strings.TrimSpace(c.GmailScope)); gmailScope != "" && gmailScope != string(googleauth.GmailScopeFull) {
 		parts = append(parts, "--gmail-scope", gmailScope)
 	}
 	if c.ForceConsent {

Original file line number	Diff line number	Diff line change
`@@ -500,10 +500,10 @@ func formatRemoteStep2Instruction(services []googleauth.Service, c *AuthAddCmd)`
`500`	`500`	`if c.Readonly {`
`501`	`501`	`parts = append(parts, "--readonly")`
`502`	`502`	`}`
`503`		`- if driveScope := strings.ToLower(strings.TrimSpace(c.DriveScope)); driveScope != "" && driveScope != "full" {`
	`503`	`+ if driveScope := strings.ToLower(strings.TrimSpace(c.DriveScope)); driveScope != "" && driveScope != string(googleauth.DriveScopeFull) {`
`504`	`504`	`parts = append(parts, "--drive-scope", driveScope)`
`505`	`505`	`}`
`506`		`- if gmailScope := strings.ToLower(strings.TrimSpace(c.GmailScope)); gmailScope != "" && gmailScope != "full" {`
	`506`	`+ if gmailScope := strings.ToLower(strings.TrimSpace(c.GmailScope)); gmailScope != "" && gmailScope != string(googleauth.GmailScopeFull) {`
`507`	`507`	`parts = append(parts, "--gmail-scope", gmailScope)`
`508`	`508`	`}`
`509`	`509`	`if c.ForceConsent {`