ClawHub

Tmp.Epgb3zEXs6

PendingVirusTotal audit pending.

Overview

No VirusTotal analysis has been recorded yet. File reputation checks will appear here once the artifact hash has been scanned.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ConcernMedium Confidence
ASI03: Identity and Privilege Abuse
What this means

A tool run through this skill may be able to act on Google Sheets available to the configured account.

Why it was flagged

The skill relies on a locally authenticated Google account, while the provided metadata lists no primary credential or required environment variables. This is purpose-aligned, but it is sensitive account authority that is under-declared.

Skill content
- [gogcli](https://github.com/steipete/gogcli) installed and authenticated ... "GOG_ACCOUNT": "you@gmail.com"
Recommendation

Use a dedicated Google account or least-privileged setup where possible, and verify exactly which account and scopes gogcli will use before enabling the MCP server.

ConcernMedium Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

A future or unexpected package version could run code locally with access to the configured Google Sheets workflow.

Why it was flagged

The setup launches a remote npm package without a pinned version, and the submitted artifact set contains no package code to review. That package would run as the MCP server handling authenticated Sheets operations.

Skill content
"command": "npx", "args": ["-y", "gogcli-mcp-sheets"]
Recommendation

Pin the package version, install only from a trusted source, and review the package/source before connecting it to an authenticated Google account.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

Mistaken tool use could change or remove spreadsheet content, or export data outside its original sheet.

Why it was flagged

The tool list includes operations that can modify, delete, copy, or export spreadsheet data. These are aligned with the skill purpose, but they are high-impact actions.

Skill content
`gog_sheets_delete_tab` | Delete a sheet tab ... `gog_sheets_copy` | Copy a sheet to another spreadsheet ... `gog_sheets_export` | Export as CSV, TSV, XLSX, PDF
Recommendation

Before allowing edits, deletes, copies, or exports, confirm the target spreadsheet, tab, range, and destination.