Back to skill
Skillv1.0.12
ClawScan security
Recipe Sync Contacts To Sheet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 6:37 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, required binary, and dependencies match its stated purpose (export Google Contacts to Sheets) and contain no unexpected actions.
- Guidance
- This recipe is internally consistent for exporting Google Contacts to Google Sheets. Before installing: confirm the gws CLI and the gws-people / gws-sheets skills come from sources you trust; be aware you will need Google credentials that grant People API directory read and Sheets write access (listing domain directory entries can require high privileges). Use the least-privilege account possible, verify which account is authorized by gws, and double-check the target SHEET_ID so sensitive directory data isn't written to an unintended spreadsheet.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: it calls a Google Workspace CLI (gws) to read directory contacts and append them to a Google Sheet. Declared dependency on gws and the gws-people / gws-sheets skills is appropriate.
- Instruction Scope
- okSKILL.md only runs gws people list and gws sheets append commands to fetch contacts and write rows to a sheet. It does not instruct reading unrelated files, harvesting environment variables, or sending data to arbitrary external endpoints.
- Install Mechanism
- okNo install spec or downloaded code is present (instruction-only), so nothing is written to disk by the skill itself — lowest-risk install model.
- Credentials
- noteThe skill declares no env vars, which is consistent for an instruction-only recipe. However, the gws CLI and referenced gws-people/gws-sheets skills will require Google credentials and API scopes at runtime (People API directory read and Sheets write). Listing DIRECTORY_SOURCE_TYPE_DOMAIN_PROFILE may require wide domain-level read permissions; ensure credentials used are appropriate and limited to the minimum necessary.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request persistent system changes. Autonomous invocation is allowed (platform default) but not combined with other concerning flags.