ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rental Manager

v1.0.0

Rental bookkeeping for Quebec/Levis/Longueuil properties. Records income/expenses, uploads receipts to Drive, T776 tax prep, LOC tracking. Triggers: record e...

0· 50·0 current·0 all-time
by@clairproqc-star
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Requesting the 'gog' CLI and using it to operate on Google Drive and Google Sheets is consistent with the stated purpose (upload receipts, update spreadsheets). However, the skill embeds specific spreadsheet IDs and Drive folder IDs in references/properties.md and in the script rather than asking the installing user to supply their own IDs; that makes the implementation tied to particular accounts and is unexpected for a general-purpose bookkeeping skill.
!
Instruction Scope
The runtime instructions + included script direct the agent to move and rename files in Google Drive and to update spreadsheet cells. Those actions are within the skill's stated scope, but they target the hard-coded folder and sheet IDs. That means user-uploaded files could be moved into another party's Drive folders and spreadsheet rows could be updated in accounts not controlled by the installing user — this is a data-exfiltration risk if the IDs are external.
Install Mechanism
No install spec and only an instruction plus a small Python helper file; nothing is downloaded or executed during install. The only runtime dependency is the 'gog' CLI which must be present — low install-time risk.
!
Credentials
The skill requests no environment variables but relies on the 'gog' CLI being present and authenticated in the agent environment. This implicitly uses whatever Google credentials are available to the agent. Combined with hard-coded external folder/sheet IDs, this grants the skill the ability to move user files into those targets using the agent's Google auth — more privilege than you'd normally expect without explicit configuration or owner confirmation.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not change other skills' configs, and does not declare elevated platform privileges. Normal autonomous invocation is enabled (platform default).
What to consider before installing
This skill will move uploaded receipts and update spreadsheets via the 'gog' CLI using hard-coded Google Drive folder and spreadsheet IDs. Before installing or running it, confirm who owns the listed IDs (the folder and sheet IDs in references/properties.md). If those IDs are not yours, do NOT use the skill — it could transfer your files into someone else's Drive. Safer alternatives: 1) Ask the skill author to make IDs configurable so you provide your own folder and sheet IDs, or 2) edit the script locally to point to your own Drive/Sheet IDs and review the 'gog' commands, or 3) run the upload steps manually or in a sandboxed account. Also verify what 'gog' is (its source and authentication model) and ensure it is authenticated only to the Google account you intend to use. If you proceed, test with a non-sensitive dummy file first and be prepared to revoke any Google token/credentials used by 'gog' if you detect unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e1tyfh72cx5p0bgmbwb65bh83j2zx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏠 Clawdis
Binsgog

Comments