ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Doc Format

v1.0.0

Convert markdown files into cleanly formatted Google Docs with native tables, headings, bold, lists, and clickable links using gog docs create --file.

0· 40·0 current·0 all-time
by@brandrainmakerai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill description (convert markdown to Google Docs) is plausible, but the runtime instructions assume a local 'gog' CLI and utilities (cat, grep, python3, head) and Drive access (create, rename, delete, move). The registry metadata lists no required binaries or credentials — that's inconsistent. Creating/deleting Google Docs legitimately requires Drive API auth/scopes, which are not declared.
!
Instruction Scope
Instructions tell the agent to write temp files, run 'gog docs create --file', verify structure, and to rename/delete/move docs (destructive operations). They also include shell pipelines and a truncated python snippet. The instructions therefore operate on local filesystem and remote Google Drive and perform irreversible actions, but give no guardrails or explicit user consent steps.
Install Mechanism
There is no install spec (instruction-only), which reduces disk/write risk. However, the skill implicitly depends on an external CLI ('gog') and standard unix tools; the absence of a declared install or required-binaries list is a mismatch worth noting.
!
Credentials
No environment variables, credentials, or config paths are declared, yet the workflow requires authenticated Google Drive operations and likely relies on locally stored OAuth tokens or CLI auth state. The skill also uses --force delete operations that would need broad Drive permissions; requesting such access without declaring it is disproportionate.
Persistence & Privilege
The skill does not request always:true and has no install-time persistence. Autonomous invocation is allowed (default) — this is expected for skills, but combined with the other concerns it means the agent could perform destructive Drive ops if run.
What to consider before installing
This skill's instructions assume you already have the 'gog' CLI, python3 and basic shell utilities, and an authenticated Google Drive session with permission to create/rename/delete/move documents — but the skill metadata doesn't declare these requirements. Before installing or enabling: (1) verify where and how 'gog' is installed and what auth it uses; (2) do not grant broad Drive scopes; test against a throwaway Google account and folder first; (3) watch out for the --force delete/rename commands — ensure human confirmation is required before destructive actions; (4) ask the publisher to declare required binaries and exact auth scopes and to provide the missing/truncated python command; and (5) if you allow autonomous runs, restrict the skill or require manual approval for operations that modify or delete Drive files.

Like a lobster shell, security has layers — review code before you run it.

latestvk973eqbq4fgxremhzxqbz6660184vhfw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments