Research to Sheets

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed workflow for researching web data and writing confirmed results to Google Sheets through ClawLink.

Before installing, confirm you trust the ClawLink plugin and are comfortable enabling it in OpenClaw. Use the skill’s preview and confirmation steps before any spreadsheet write, especially for existing or shared sheets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to install a plugin, widen the tool allowlist, and restart the gateway, which are privileged local administrative actions unrelated to the core task of researching websites and writing rows to Google Sheets. This expands the agent's capabilities and changes the host environment, creating a supply-chain and privilege-expansion risk if the plugin or configuration is unsafe or compromised.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The troubleshooting section includes additional host-level commands to inspect plugins, change configuration, and restart the gateway. Even as fallback guidance, these instructions normalize privileged environment changes beyond the skill's stated purpose and could be abused to persistently alter the agent runtime or enable unintended tools.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal