Security audit

Research to Sheets

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed workflow for researching web data and writing confirmed results to Google Sheets through ClawLink, with privacy caution needed for contact-data use.

Before installing, understand that this will enable the ClawLink plugin and connect Google Sheets through OAuth. Use it only for data you are authorized to collect and store, especially when rows include names, roles, emails, phone numbers, or profile data. Review previews carefully before approving spreadsheet writes.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill explicitly includes collecting contact names, roles, and emails, then saving them to Google Sheets, but it does not warn about personal data handling, lawful basis, sensitivity, or destination-sharing risks. In a workflow designed for scraping and bulk export, this can normalize collection and persistence of personal data without user awareness of privacy or compliance constraints.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.