ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

School Run

v1.0.0

Manages the School Run Schedule Google Sheet. Use when reading or updating the school run drop-off schedule for Damian and Zachary (date, responsible person,...

0· 109·0 current·0 all-time
by@cbasah
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (reading/updating a Google Sheets schedule) aligns with the commands shown (gws sheets ... and a spreadsheetId). However the metadata declares no required credentials or binaries while the instructions clearly require the gws CLI and a Google service account JSON at a specific user home path, which is inconsistent.
!
Instruction Scope
The SKILL.md explicitly instructs setting GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE to /home/websterlinus615/.config/gws/service-account.json and running gws commands. That references a local secret file and assumes access to the user's home; the skill did not declare this file or env var in its requirements. Instructions therefore request access to sensitive local credentials without documenting or justifying them.
Install Mechanism
There is no install spec (instruction-only), which is lower-risk in itself. But the skill expects the gws CLI to exist on PATH even though 'required binaries' lists none; the missing declaration is an inconsistency that could confuse users and hide required tooling.
!
Credentials
The skill requires a Google Workspace service-account JSON (implied by the env var and path) and thus access to Google credentials, yet declares no required env vars or primary credential. Requesting a service account with broad scopes would be excessive for a simple schedule—least-privilege and explicit declaration are missing.
Persistence & Privilege
The skill is not forced-always, does not request persistent presence, and is user-invocable only. It does not attempt to modify other skills or system settings in the provided content.
What to consider before installing
This skill appears to do what it says (manage a specific Google Sheet) but the SKILL.md expects a local Google service-account JSON at /home/websterlinus615/.config/gws/service-account.json and the gws CLI while declaring no credentials or required binaries. Before installing or using it: 1) Verify the skill publisher and why no credentials were declared. 2) Do NOT point a credential file with broad scopes to an unknown skill—create a dedicated, least-privilege service account for sheet-only access and audit its scopes. 3) Ensure the gws CLI is trusted and available; the skill provides no install instructions. 4) Confirm the spreadsheetId is correct and that you trust who can access that sheet. If you cannot confirm the origin or cannot create a limited credential for this purpose, avoid installing or running the commands. If you want a safer assessment, ask the publisher for a clear list of required env vars, the exact gws CLI version needed, and the minimum IAM scopes the service account requires.

Like a lobster shell, security has layers — review code before you run it.

latestvk971n0rnxmhnrpfq507d0drqc18332s1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments