Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawshier
v0.1.5Process receipt or invoice images into structured expenses and log them to Google Sheets. Use when the user wants to scan, log, track, or record an expense f...
⭐ 0· 506·1 current·1 all-time
by@fdocr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (receipt/invoice OCR → structured expense → Google Sheets) align with required env vars (GOOGLE_SHEETS_ID, GOOGLE_SERVICE_ACCOUNT_KEY) and primary credential (OPENAI_API_KEY). The code uses OpenAI for OCR/structuring and Google Sheets APIs for persistence, which is proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs running the included Node pipeline and handlers, prefers the safe runner over shell pipes, and documents optional tracing/test modes. Runtime behavior reads local image files, reads .env, posts image data to OpenAI (or to a local Ollama host if configured), and writes trace/mock DB files locally. There are no instructions to read unrelated system credentials or exfiltrate data to unexpected endpoints.
Install Mechanism
The registry lists no automated install spec, but the bundle includes package.json and source files that require npm dependencies (openai, googleapis, dotenv). That means the skill expects a Node.js environment and a manual npm install step (per README). No downloads from arbitrary URLs or suspicious installers are present.
Credentials
Required env vars are proportional: GOOGLE_SHEETS_ID and GOOGLE_SERVICE_ACCOUNT_KEY are needed to access the target spreadsheet; OPENAI_API_KEY (declared as primary) is needed for OCR/LLM structuring. Other env vars referenced (CLAWSHIER_*, OPENAI_MODEL, etc.) are optional configuration. No unrelated secret tokens or multiple unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent configuration. It writes local trace and test DB files (.clawshier-last-trace.json, .clawshier-test-db.json) and will modify the target Google Sheet (including deleting default 'Sheet1' on first run) — this is consistent with its stated purpose.
Assessment
This package appears to do what it says: it OCRs invoice/receipt images (via OpenAI by default or a local Ollama host) and appends structured rows to a Google Sheet. Before installing, ensure you: 1) provide a path to a Google service account JSON (GOOGLE_SERVICE_ACCOUNT_KEY) and the spreadsheet ID (GOOGLE_SHEETS_ID); 2) are comfortable that image bytes and extracted text will be sent to OpenAI (OPENAI_API_KEY) unless you force a local Ollama provider; 3) understand the skill will manage sheet tabs and may delete the default 'Sheet1' on first write; 4) run npm install in the skill directory (package.json present) and inspect the .env file used by dotenv; and 5) test in CLAWSHIER_TEST_MODE=1 to use local fixtures before pointing at real spreadsheets or keys. If you want additional assurance, review the included files (especially lib/visionOcr.js and lib/googleSheets.js) and confirm the GOOGLE_SERVICE_ACCOUNT_KEY points to a local file you control rather than embedding raw credentials in environment variables you don't trust.lib/visionOcr.js:81
Shell command execution detected (child_process).
test/pipeline-smoke.test.js:20
Shell command execution detected (child_process).
lib/visionOcr.js:15
Environment variable access combined with network send.
lib/visionOcr.js:45
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97fzj8nsan19wj69t49jkjdm584fhs1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvGOOGLE_SHEETS_ID, GOOGLE_SERVICE_ACCOUNT_KEY
Primary envOPENAI_API_KEY