Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Clawshier
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Clawshier matches its receipt-to-Google-Sheets purpose, but it automatically makes persistent spreadsheet changes that deserve review before use.
Install only if you are comfortable giving it a Google Sheets service account and sending receipt images to the selected OCR provider. Use a dedicated empty spreadsheet, back it up before first use, and consider fixing Sheet1 deletion and formula escaping before processing untrusted receipts.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI02: Tool Misuse and Exploitation
Medium
What this means
If the configured spreadsheet already has useful data in a tab named Sheet1, that tab could be removed during normal use.
Why it was flagged
After storing an expense, the skill deletes any tab named Sheet1 in the configured Google spreadsheet. This is disclosed, but the code does not check whether that tab is empty or ask for confirmation.
Skill content
await deleteSheetIfExists(spreadsheetId, "Sheet1");
Recommendation
Use a dedicated empty spreadsheet, back it up first, and consider changing the skill to delete Sheet1 only after confirming it is empty or after explicit user approval.
#
ASI08: Cascading Failures
Medium
What this means
A malicious or malformed receipt could cause unexpected formulas or links to be inserted into the spreadsheet and then shared or synced with other users of that sheet.
Why it was flagged
appendRow and appendRows write values as USER_ENTERED. Since the stored vendor/category/item fields come from OCR and LLM output, formula-like text from a receipt could be interpreted by Google Sheets rather than stored as plain text.
Skill content
valueInputOption: "USER_ENTERED"
Recommendation
Write untrusted receipt-derived text with RAW mode or escape leading formula characters such as =, +, -, and @ before appending rows.
#
ASI03: Identity and Privilege Abuse
Low
What this means
The service account can modify spreadsheets it has been granted access to, including the configured expense spreadsheet.
Why it was flagged
The skill uses a Google service account with Sheets API write authority. This is expected for logging expenses, but it is still a meaningful account permission.
Skill content
scopes: ["https://www.googleapis.com/auth/spreadsheets"]
Recommendation
Share only a dedicated expense spreadsheet with this service account and avoid reusing a broadly privileged Google key.
#
ASI07: Insecure Inter-Agent Communication
Low
What this means
Receipt images may contain personal or financial details and will be sent to the configured OCR provider unless local Ollama mode is used.
Why it was flagged
By default, the skill base64-encodes the provided receipt image and sends it to OpenAI Vision for OCR. README/SKILL.md disclose OpenAI as the default OCR backend.
Skill content
image_url: { url: `data:${mime};base64,${base64}` }Recommendation
Use local Ollama mode for sensitive receipts, or only process receipts you are comfortable sending to the configured provider.
#
ASI05: Unexpected Code Execution
Info
What this means
On macOS with Ollama image resizing, the skill invokes a local system tool against the provided image path.
Why it was flagged
The skill can run the local macOS sips binary to resize images for Ollama. This is purpose-aligned and does not use shell interpolation, but it is still local command execution.
Skill content
execFileSync("sips", ["-Z", String(maxDimension), imagePath, "--out", tempPath], { stdio: "ignore" });Recommendation
Keep using argument-array execution and avoid processing untrusted paths; disable Ollama resizing if local command execution is not acceptable.