Back to skill
Skillv1.0.13
ClawScan security
Gws Sheets Read · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 31, 2026, 6:35 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's declared purpose (read Google Sheets) matches its instructions, but it depends on external/shared auth instructions (../gws-shared/SKILL.md) without declaring what credentials or environment variables are required — this gap and the instruction to read a sibling file are inconsistent and worth reviewing before install.
- Guidance
- This skill appears to be a thin wrapper around the 'gws' CLI to read Google Sheets, which is reasonable. However, it explicitly tells the agent to read ../gws-shared/SKILL.md for authentication and global flags — that means the real auth requirements live outside this SKILL.md. Before installing or enabling this skill: 1) Inspect the referenced ../gws-shared/SKILL.md to see exactly which credentials or environment variables are required and where they are stored; 2) Verify the provenance of the 'gws' binary (is it from a trusted provider/release?) because the skill will execute it; 3) Avoid putting high-privilege Google credentials into the agent until you confirm the minimum required scope (read-only scopes are preferable); 4) If you cannot inspect gws-shared, treat this skill as untrusted because it can cause the agent to access unspecified credentials. The minor metadata/version mismatch (SKILL.md metadata shows 0.22.5 vs registry 1.0.13) is a low-severity inconsistency but worth noting as part of overall hygiene.
Review Dimensions
- Purpose & Capability
- okName/description align with the runtime instructions: the SKILL.md only documents running the 'gws' CLI to read a sheet range. Requiring the 'gws' binary is proportionate for a Google Sheets read helper.
- Instruction Scope
- concernThe SKILL.md explicitly instructs the agent to read '../gws-shared/SKILL.md' for auth, global flags, and security rules. That directs the agent to read a file outside this skill's own SKILL.md (filesystem access to a sibling path) and to rely on external content for authentication behavior. The referenced file may instruct the agent to access credentials or perform other actions not visible here.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is low-risk from a code-installation perspective (nothing downloaded or written by the skill itself).
- Credentials
- concernThe skill declares no required environment variables or primary credential, yet it defers auth to '../gws-shared/SKILL.md'. That external doc will likely require Google auth (tokens, OAuth client, or service account keys). Because those credentials are not declared here, it's unclear what secrets the agent will need or access, making the credential footprint indeterminate.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence. Autonomous invocation is allowed (default) but that is expected; there is no evidence it modifies other skill configs or system-wide settings.