Excel Workflow
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s Excel workflow is coherent, but it asks for full Google Drive access and relies on missing, unreviewed local helper tools.
Before installing, verify the missing helper tools from a trusted source, avoid granting full Google Drive access if a narrower scope is available, use a dedicated Drive folder or account, and review spreadsheet updates before letting the agent re-upload changed files.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Granting full Drive access means the configured tool could potentially read or modify much more than the intended Excel backup folder.
The documented workflow only targets `gdrive:Excel/`, but the setup asks for full Google Drive access through rclone.
Follow prompts: - Name: `gdrive` - Storage: `drive` (Google Drive) - Scope: `1` (Full access)
Use the least-privileged rclone/Google Drive scope possible, preferably a dedicated Drive folder or account, and do not grant full Drive access unless you trust the implementation.
Users would need to obtain or rely on unreviewed helper tools before the workflow can perform high-impact file and Google Drive operations.
The skill documentation depends on local executables for processing, updating, and Drive sync, but those executable components are not supplied or provenance-backed in the reviewed artifacts.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill. No code files present — this is an instruction-only skill.
Install only from a verified source, inspect the helper scripts before use, and prefer a package that includes reviewed code, pinned dependencies, and a real homepage or repository.
A mistaken interpretation of a user request could alter important spreadsheet data or formulas.
The update workflow is purpose-aligned, but it gives the agent a path to modify spreadsheet cells and then re-upload the changed file.
excel-workflow update '{"C2": 100, "C3": 200}' [--file filename.xlsx] ... "message": "✅ Updated and re-uploaded to Google Drive"Review proposed cell changes before running updates, keep backups, and avoid broad mass updates unless the target range is clear.
Uploaded spreadsheets may contain financial, business, or personal data that will be stored in the connected Google Drive account.
The Google Drive upload is clearly disclosed and purpose-aligned, but it moves spreadsheet content to an external provider.
The workflow automatically: 1. Analyzes file structure (sheets, formulas) 2. Uploads to Google Drive (`gdrive:Excel/`) 3. Saves metadata to SQLite tracker
Only process spreadsheets you are comfortable storing in Google Drive, and use a dedicated folder or account for sensitive workflows.
Local history may reveal spreadsheet names, file paths, formulas, and usage timestamps after the original task is complete.
The skill stores spreadsheet metadata and formulas in a persistent local tracker for later listing and querying.
SQLite database at `~/.openclaw/excel_tracker.db` ... Tracks: filename, sheets, formulas, paths, timestamps
Check or delete the tracker database when needed, and avoid processing highly sensitive files unless this persistence is acceptable.