Security audit

Google Sheets

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Google Sheets integration skill, with one credential-handling tip users should avoid following literally.

Install only if you trust Maton with access to the Google Sheets account you connect. Treat MATON_API_KEY as a secret: do not run commands that print the full key in shared terminals, screenshots, logs, or support chats. Confirm spreadsheet IDs, ranges, connected accounts, and intended effects before any write, clear, delete, or batchUpdate operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The troubleshooting section explicitly tells users to run `echo $MATON_API_KEY`, which prints the full credential to the terminal and potentially into shell history, terminal scrollback, screen recordings, shared sessions, or support logs. Although this is framed as debugging guidance rather than exfiltration logic, it still encourages unsafe handling of a bearer token that can authorize access to the Maton account and associated Google Sheets connections.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.