Tmp.Epgb3zEXs6
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A tool run through this skill may be able to act on Google Sheets available to the configured account.
The skill relies on a locally authenticated Google account, while the provided metadata lists no primary credential or required environment variables. This is purpose-aligned, but it is sensitive account authority that is under-declared.
- [gogcli](https://github.com/steipete/gogcli) installed and authenticated ... "GOG_ACCOUNT": "you@gmail.com"
Use a dedicated Google account or least-privileged setup where possible, and verify exactly which account and scopes gogcli will use before enabling the MCP server.
A future or unexpected package version could run code locally with access to the configured Google Sheets workflow.
The setup launches a remote npm package without a pinned version, and the submitted artifact set contains no package code to review. That package would run as the MCP server handling authenticated Sheets operations.
"command": "npx", "args": ["-y", "gogcli-mcp-sheets"]
Pin the package version, install only from a trusted source, and review the package/source before connecting it to an authenticated Google account.
Mistaken tool use could change or remove spreadsheet content, or export data outside its original sheet.
The tool list includes operations that can modify, delete, copy, or export spreadsheet data. These are aligned with the skill purpose, but they are high-impact actions.
`gog_sheets_delete_tab` | Delete a sheet tab ... `gog_sheets_copy` | Copy a sheet to another spreadsheet ... `gog_sheets_export` | Export as CSV, TSV, XLSX, PDF
Before allowing edits, deletes, copies, or exports, confirm the target spreadsheet, tab, range, and destination.