Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Sheets API
v1.0.3OpenClaw skill that installs a Google Sheets CLI with setup steps and commands for read/write, batch, formatting, and sheet management.
⭐ 4· 2.5k·12 current·12 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, SKILL.md, package.json, and scripts/sheets-cli.js all align: this is a CLI for the Google Sheets API (reads/writes, batch, formatting, sheet management) using the googleapis npm package and service-account credentials.
Instruction Scope
The runtime instructions are reasonable for the stated purpose (npm install; run node scripts/sheets-cli.js). The CLI will search for credentials in env vars and on-disk locations (cwd and the user's home config path) as expected for a service-account-driven tool. There is a small inconsistency between the documented env names and the code (the code checks GOOGLE_SHEETS_CREDENTIALS_JSON and also GOOGLE_SERVICE_ACCOUNT_JSON — the latter looks like a typo compared to env_example.md which uses GOOGLE_SERVICE_ACCOUNT_KEY). This mismatch could cause confusion or failure to load credentials.
Install Mechanism
There is no platform install spec, but package.json exists and SKILL.md instructs users to run npm install. That will pull the googleapis package from npm (expected). The lack of an explicit install entry in the registry metadata means install will be manual; verify npm network retrieval and consider pinning/checking package integrity before running.
Credentials
The skill legitimately needs Google service-account credentials, but the registry metadata lists no required env vars or primary credential while the SKILL.md and code expect credentials from multiple env vars or files. The code checks several on-disk locations (including ~/.config/google-sheets/credentials.json), which is reasonable but broad — the registry should have declared the credential requirement and the exact env names. Confirm which env var you will use and do not supply higher-privilege credentials than necessary.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or system-wide settings. It runs as a normal CLI and only uses the Google API client; autonomous invocation is the platform default but not a new privilege here.
What to consider before installing
This skill appears to be a genuine Google Sheets CLI, but check a few things before installing: 1) Confirm which environment variable you will supply (the code and docs disagree slightly) and ensure you use a dedicated, least-privilege service account key (read-only scope for read tasks). 2) Don't place broad/owner credentials in project files or repos; keep the JSON key out of version control and prefer a limited-scope service account. 3) The package pulls googleapis from npm — run npm install in a controlled environment, verify package versions, and consider auditing node_modules or using integrity checks. 4) Because the CLI checks for credential files in the current directory and your home directory, be aware it may pick up any keys present there; remove or relocate keys you don't want the skill to access. 5) The code contains minor env-name inconsistencies (possible typo) — test credential loading locally before using in production. If you need higher assurance, run the CLI inside a restricted container or VM and review the full scripts/sheets-cli.js file yourself.Like a lobster shell, security has layers — review code before you run it.
latestvk97bsx3rnwatqamb2hkb2q8y7180dt44
License
MIT-0
Free to use, modify, and redistribute. No attribution required.