ClawHub

Excel Workflow

Security checks across malware telemetry and agentic risk

Overview

This Excel skill is not clearly malicious, but it asks for broad Google Drive access and relies on unreviewed local helper tools to upload, track, and modify spreadsheets.

Install only if you are comfortable granting rclone broad Google Drive authority and letting the workflow upload spreadsheet files to Drive and store local tracking records. Prefer a dedicated Google account or least-privilege rclone configuration, confirm before every upload or update, and avoid using it with confidential spreadsheets until the actual helper tool source and retention/deletion behavior are reviewable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly advertises automatic Google Drive sync/backup for uploaded Excel files but does not disclose privacy, consent, or data-handling boundaries. In a skill that processes potentially sensitive spreadsheets, silent or default external transmission can expose confidential business or personal data to third-party storage without informed user approval.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation guidance is broad enough that an agent may apply the skill whenever a user mentions Excel, even if the user only wants local analysis and did not consent to cloud sync or persistent tracking. In this skill, use of the workflow implicitly triggers Google Drive upload and SQLite storage, so over-broad routing increases the chance of unintended data disclosure and unnecessary data retention.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill states that uploaded Excel files are automatically analyzed, uploaded to Google Drive, and recorded in SQLite, but it does not present this as a clear user-facing warning or consent checkpoint. Because spreadsheets often contain sensitive business or personal data, silent cloud transfer and local metadata retention can cause confidentiality, compliance, and privacy violations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises automatic Google Drive sync/backup of processed Excel files but does not clearly disclose that user data may be transmitted to a third-party cloud service. For a skill that handles uploaded spreadsheets, this can lead to unexpected exfiltration of potentially sensitive business or personal data, especially because the feature is framed as automatic and beneficial rather than opt-in.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill activation guidance is overly broad, covering general spreadsheet-related requests without clear boundaries or explicit user consent for side effects. In an agent setting, this increases the chance the skill is invoked for ordinary Excel help and then performs local file processing or remote sync beyond what the user expected.

Missing User Warnings

High
Confidence
97% confidence
Finding
The documentation states that uploaded `.xlsx` files are automatically sent to Google Drive and recorded in SQLite, but it does not require an explicit privacy notice or consent step first. Because spreadsheets often contain financial, personal, or business-sensitive data, silent cloud upload and metadata persistence can cause unintended data disclosure and compliance issues.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal