ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

google-sheets-soha

v1.0.2

Read and analyze data from Google Sheets. Trigger when the user mentions "Google Sheet", "spreadsheet", "sheet", sends a docs.google.com/spreadsheets link, o...

0· 62·0 current·0 all-time
byNguyễn Tiến Phan@fuco99
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: fetching Google Sheets via Sheets API v4 using either a public API key or a service account, and using python3/curl for fetches. The declared binaries and primary credential are appropriate for the stated capability.
Instruction Scope
SKILL.md instructs the agent to fetch sheet metadata and values, run local python3 scripts, and cache results on disk under ~/.openclaw/workspace/.cache/sheets. This is within scope for a Sheets-reading skill, but the skill persists spreadsheetId in session context and caches sheet contents locally (TTL default 5 minutes) — users should be aware cached sheet contents and the remembered Sheet ID are stored on disk and used for subsequent turns.
Install Mechanism
Instruction-only skill with no install/spec downloads. No code is pulled from external URLs during install — lowest-risk install mechanism.
Credentials
Only Google-related credentials are requested (GOOGLE_API_KEY for public sheets, GOOGLE_SERVICE_ACCOUNT_JSON for private sheets). That is proportional. Minor inconsistency: the frontmatter marks the env vars as not required while primaryEnv is set to GOOGLE_SERVICE_ACCOUNT_JSON and the registry metadata shows malformed env entries ([object Object]) — likely a metadata parsing issue but worth verifying before enabling.
Persistence & Privilege
always:false and agent-invocation allowed (normal). The skill writes cache files under its own workspace path and stores session context in-memory for the conversation; it does not request system-wide privileges or alter other skills' configuration.
Assessment
This skill appears to do what it claims, but check the following before enabling: (1) It needs either a Google API key (public sheets) or a Service Account JSON file path (private sheets). Only provide the minimum credential required. (2) The skill caches sheet contents and remembers the active Sheet ID under ~/.openclaw/workspace/.cache/sheets — if that data is sensitive, consider the cache TTL or clear the cache after use. (3) The repository/homepage fields are placeholders (github.com/your-username/...) — verify the source/trustworthiness of the published repo and maintainer before installing. (4) There is a minor metadata parsing glitch (registry shows [object Object]) — confirm the env var configuration in your OpenClaw config matches what the SKILL.md frontmatter declares.

Like a lobster shell, security has layers — review code before you run it.

latestvk9780d1zbnnjkqd5yqn331xnfs843abn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, curl
Env[object Object], [object Object]
Primary envGOOGLE_SERVICE_ACCOUNT_JSON

Comments