Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Google Sheets Assistant
v1.0.3Read, write, and analyze Google Sheets with AI-powered insights, formula generation, and data summarization. Powered by evolink.ai
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and code (scripts/sheets.sh) align: it proxies Google Sheets operations via gateway.maton.ai (MATON_API_KEY) and optionally sends data to api.evolink.ai for AI features (EVOLINK_API_KEY). Binaries (python3, curl) are reasonable for the provided shell script. Small metadata mismatches exist (SKILL.md/_meta.json list EVOLINK as optional but registry metadata lists EVOLINK_API_KEY as required), which is inconsistent with the stated purpose but not directly malicious.
Instruction Scope
SKILL.md runtime instructions and the script limit actions to: manage OAuth connections via ctrl.maton.ai, proxy Google Sheets API calls through gateway.maton.ai, and call Evolink for AI when EVOLINK_API_KEY is set. The instructions do not instruct reading unrelated files or exfiltrating data to unknown endpoints; the skill includes clear consent language about Maton and Evolink.
Install Mechanism
No install spec (instruction-only with an included shell script). Nothing is downloaded from arbitrary URLs and no archive extraction is present. Risk from the install mechanism is low, but the script will run network calls at runtime.
Credentials
MATON_API_KEY is an appropriate primary credential because Maton proxies Google API access. However, registry metadata lists EVOLINK_API_KEY as required while SKILL.md and _meta.json treat it as optional for AI features—this inconsistency could cause surprising behavior in automated install checks or permission prompts. The skill requests a third-party API key (Maton) which grants Maton access to the user's Google Sheets; that is proportionate to the purpose but is a meaningful privilege the user must explicitly accept.
Persistence & Privilege
The skill is not forced-always and does not request system-wide configuration or other skills' credentials. It can be invoked autonomously (platform default), which is expected for skills; no unusual persistence or elevated privileges are requested.
What to consider before installing
This skill appears to do what it claims (read/write Google Sheets and optional AI analysis), but take these precautions before installing:
- Verify the source: check the referenced GitHub repo and the publisher (EvoLinkAI/owner) to ensure you trust them. The registry/version metadata shows small inconsistencies (version and which env vars are required).
- Understand the privilege you're granting: MATON_API_KEY lets the Maton gateway access your Google Sheets on your behalf. Only grant a key you control and that you can revoke; confirm Maton's privacy/security practices if you care about sensitive data.
- EVOLINK_API_KEY is only needed for AI features — don't set it unless you want those features. The registry listing incorrectly marks EVOLINK_API_KEY as required; treat EVOLINK as optional per the skill docs.
- Inspect the included script (scripts/sheets.sh) yourself (it is included) to confirm endpoints and behavior match your expectations; run commands with least-privilege test data first (use a throwaway spreadsheet or account).
- If you need stronger assurance, ask the publisher for a signed release or run the tool in an isolated environment (container) and monitor network traffic to confirm which endpoints receive your data.Like a lobster shell, security has layers — review code before you run it.
latestvk97811g8z0x9br0dejn1200kn984cb0m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3, curl
EnvMATON_API_KEY, EVOLINK_API_KEY
Primary envMATON_API_KEY