ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Employee Reminder Ops

Google Sheets-driven employee reminder and special-event reporting workflow for internal operations. Use when setting up or migrating birthday reminders, dai...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 39 · 0 current installs · 0 all-time installs
byVĩnh Tâm@Vt-mmm
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to be a Google Sheets-driven reminder workflow (Plan A) which legitimately needs a Google CLI and chat bot tokens. However, the registry metadata declares no required binaries or environment variables, while the code requires the 'gog' CLI, Node.js runtime, and multiple environment variables (PLAN_A_SHEET_ID, DISCORD_BOT_TOKEN, GOG_ACCOUNT, etc.). Also the code contains hardcoded defaults (spreadsheet ID, Discord channel ID, gog account) that are unexpected in a generic skill package.
!
Instruction Scope
SKILL.md and the JS implement the intended workflow (read Sheets via gog, build reports, POST to Discord). That scope is coherent. Concerns: the demo script will execute the external 'gog' binary and POST to discord if run with a token; it reads/writes a .state file in the workspace (creates state and lastError). The bundled run-plan-a.sh contains an absolute user-specific path (/Users/vtammm/.openclaw/workspace) which is a leftover dev path and could cause surprising behavior if executed as-is.
Install Mechanism
There is no install spec (instruction-only + code files), which minimizes install-time risk. The runtime relies on external tools (Node.js and the gog CLI) and suggests using ClawHub; these are standard for this kind of skill. No remote download URLs or archive extraction are present. Still, the lack of declared required binaries in metadata is an inconsistency.
!
Credentials
The package metadata lists no required environment variables, but code and docs reference many environment variables including sensitive tokens (DISCORD_BOT_TOKEN, DISCORD_CHANNEL_ID), a GOG account, and local state paths. There are also hardcoded defaults for spreadsheet ID, Discord channel ID, and GOG_ACCOUNT inside the script — this both contradicts the SKILL.md statement that spreadsheet ID is 'deployment config' and increases the risk of accidental use of someone else's sheet or channel if not overridden.
Persistence & Privilege
The skill does not request elevated platform privileges or always:true. It writes a .state directory and state file under the working directory (by default process.cwd()/.state) to track sent reports and lastError; this is expected for duplicate-prevention but is persistent storage. The run script's hardcoded cd path is an out-of-package absolute path and should be removed/edited before running.
What to consider before installing
This skill appears to implement the claimed Google Sheets → Discord/Telegram reminder workflow, but there are important mismatches you should address before installing or running it: - Metadata vs reality: The registry metadata lists no required binaries or env vars, but the code requires Node.js and the 'gog' CLI and expects many environment variables (e.g., PLAN_A_SHEET_ID, DISCORD_BOT_TOKEN, GOG_ACCOUNT, PLAN_A_STATE_DIR). Treat those env vars as secrets (especially DISCORD_BOT_TOKEN). - Hardcoded defaults: The script embeds a default spreadsheet ID, a default Discord channel ID, and a default GOG account. Verify the default spreadsheet ID belongs to your organization (or overwrite it) — otherwise you may be reading or interacting with an unrelated sheet or channel. - Absolute path in run-plan-a.sh: The bundled shell helper contains a hardcoded developer path (/Users/vtammm/.openclaw/workspace). Do not run that script as-is; edit it to your environment or run the Node script directly from a controlled location. - State files: The tool will create and update a .state directory and JSON state file in the working directory; inspect those files and ensure your runtime location is appropriate and not a shared/public repo. - Safe testing: Before connecting any real bot token, run the preview and json modes (node plan-a-demo.js preview or json) to inspect output. Only run 'send' or 'prod-send' after you have confirmed configuration and used a test Discord/Telegram bot and test channel. - Secrets handling: Follow the SKILL.md advice: do not commit tokens to Git, use local .env files that are excluded from VCS, and rotate tokens if they are accidentally exposed. If you need higher confidence, request that the publisher update the registry metadata to declare required binaries/env vars and remove or replace the hardcoded defaults and absolute paths. Review the plan-a-demo.js source yourself (or in an isolated environment) before granting any secrets or scheduling automated runs.
scripts/plan-a-demo.js:24
Shell command execution detected (child_process).
scripts/plan-a-demo.js:8
Environment variable access combined with network send.
!
scripts/plan-a-demo.js:34
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk972jbehx13q4ze8nj3b64bwn98354z0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Employee Reminder Ops

Use this skill when working on the internal reminder workflow currently called Plan A.

What this skill covers

  • Read employee and special-event data from Google Sheets
  • Generate daily reminder reports
  • Route reminder reports into Telegram or Discord groups/channels
  • Configure scheduler/runtime for daily 7:00 AM reports
  • Migrate the workflow to another machine

Core workflow

  1. Load staff and event data from Google Sheets
  2. Normalize dates and detect upcoming birthdays/events
  3. Render one report message per day
  4. Send the report to the mapped chat/group/channel
  5. Avoid duplicate sends for the same day

Current data model

Google Sheet

  • Spreadsheet ID is deployment config, not hardcoded in the skill
  • Staff tab example: Trang tính1
  • Event tab example: NgayDacBiet

Staff columns

  • Mã NV
  • Họ và Tên
  • Bộ Phận
  • Loại hình nhân sự
  • Vị trí
  • Ngày sinh

Event columns

  • STT
  • Tên sự kiện
  • Ngày diễn ra
  • Loại sự kiện
  • Bộ phận phụ trách
  • Ghi chú
  • Nhắc trước
  • Kích hoạt

Deployment guidance

Read references/deployment.md when setting up on a new machine.

Runtime/config boundary

Keep these outside the skill package:

  • Google OAuth tokens
  • Telegram/Discord bot tokens
  • group/channel IDs
  • .env*
  • .state/*
  • logs

Bundle only:

  • workflow scripts
  • schema notes
  • templates/examples
  • scheduler examples
  • assets/windows/ example env file and PowerShell helper for Windows bring-up

Included references

  • references/architecture.md - Plan A architecture and routing notes
  • references/deployment.md - install/migrate checklist
  • references/google-sheet-schema.md - canonical Sheet structure for staff/events
  • references/clawhub.md - publish/install/update commands via ClawHub
  • references/troubleshooting.md - common runtime/scheduler/data issues
  • references/windows.md - Windows-specific deployment notes
  • references/macos.md - macOS-specific deployment notes

Files

12 total
Select a file
Select a file to preview.

Comments

Loading comments…