ClawHub

Md To Gdoc

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it converts a chosen Markdown file into a Google Doc using an authenticated Google Workspace CLI.

Before using it, confirm which Google account gog is authenticated to, pass --account and --parent when destination matters, and only convert Markdown files you intend to store in Google Docs/Drive. Install gog only from a trusted source and review its Google permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill description uses broad trigger phrases like creating a Google Doc from markdown or converting notes/documents, which can match many ordinary user requests and cause the skill to activate unexpectedly. Because this skill uploads content into Google Docs/Drive, over-broad activation increases the chance of unintended data transfer or use in contexts where the user did not explicitly consent to cloud upload.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not prominently warn that document contents will be uploaded to Google Docs/Google Drive, which creates a meaningful privacy and data-handling risk. Users may believe the action is a local format conversion when it actually transmits potentially sensitive markdown content to a third-party cloud service tied to an authenticated account.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script uploads the contents of a local markdown file to Google Docs via external `gog docs create` and `gog docs update` commands, but it does not provide an explicit consent prompt or clear warning at the point of transfer. In an agent/skill context, users may invoke conversion workflows without realizing that local file contents are being transmitted to a third-party cloud service, which can expose sensitive notes, credentials, or proprietary data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal